CVE-2026-26127

.NET Denial of Service Vulnerability

Basic Information

CVE State: PUBLISHED
Reserved Date: February 11, 2026
Published Date: March 10, 2026
Last Updated: April 14, 2026
Vendor: Microsoft
Product: .NET 10.0, .NET 9.0, Microsoft.Bcl.Memory
Description: Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

CVSS Scores

CVSS v3.1

7.5 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

SSVC Information

Exploitation: none
Automatable: Yes
Technical Impact: partial

Exploit Status

Exploited in the Wild: Yes (2026-04-19 13:46:42 UTC) Source

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127

Known Exploited Vulnerability Information

Source	Added Date
The Shadowserver (via CIRCL)	2026-04-19 13:46:42 UTC

Timeline

CVE ID Reserved

February 11, 2026
CVE Published to Public

March 10, 2026
Added to KEVIntel

April 19, 2026