{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-45591","assignerOrgId":"f38d906d-7342-40ea-92c1-6c4a2c6478c8","state":"PUBLISHED","assignerShortName":"microsoft","dateReserved":"2026-05-12T19:55:45.730Z","datePublished":"2026-06-09T17:05:29.575Z","dateUpdated":"2026-07-08T23:23:45.647Z"},"containers":{"cna":{"title":"ASP.NET Core Denial of Service Vulnerability","datePublic":"2026-06-09T14:00:00.000Z","cpeApplicability":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:visual_studio_2026:*:*:*:*:*:*:*:*","versionStartIncluding":"18.6.0","versionEndExcluding":"18.6.3"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*","versionStartIncluding":"10.0.0","versionEndExcluding":"10.0.9"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*","versionStartIncluding":"10.0","versionEndExcluding":"10.0.9"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0","versionEndExcluding":"8.0.28"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*","versionStartIncluding":"8.0.0","versionEndExcluding":"8.0.28"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0.0","versionEndExcluding":"9.0.17"},{"vulnerable":true,"criteria":"cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*","versionStartIncluding":"9.0","versionEndExcluding":"9.0.17"}]}]}],"affected":[{"vendor":"Microsoft","product":".NET 10.0","versions":[{"version":"10.0.0","lessThan":"10.0.9","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":".NET 8.0","versions":[{"version":"8.0.0","lessThan":"8.0.28","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":".NET 9.0","versions":[{"version":"9.0.0","lessThan":"9.0.17","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":"ASP.NET Core 10.0","versions":[{"version":"10.0","lessThan":"10.0.9","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":"ASP.NET Core 8.0","versions":[{"version":"8.0","lessThan":"8.0.28","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":"ASP.NET Core 9.0","versions":[{"version":"9.0","lessThan":"9.0.17","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":"Microsoft Visual Studio 2026 version 18.6","versions":[{"version":"18.6.0","lessThan":"18.6.3","versionType":"custom","status":"affected"}]}],"descriptions":[{"value":"Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.","lang":"en-US"}],"problemTypes":[{"descriptions":[{"description":"CWE-400: Uncontrolled Resource Consumption","lang":"en-US","type":"CWE","cweId":"CWE-400"}]}],"providerMetadata":{"orgId":"f38d906d-7342-40ea-92c1-6c4a2c6478c8","shortName":"microsoft","dateUpdated":"2026-07-08T23:23:45.647Z"},"references":[{"name":"ASP.NET Core Denial of Service Vulnerability","tags":["vendor-advisory","patch"],"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45591"}],"metrics":[{"format":"CVSS","scenarios":[{"lang":"en-US","value":"GENERAL"}],"cvssV3_1":{"version":"3.1","baseSeverity":"HIGH","baseScore":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}}]},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-06-10T13:47:51.768280Z","id":"CVE-2026-45591","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-06-10T13:47:58.238Z"}},{"affected":[{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:8::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_e4s:9.4::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream E4S (v.9.4)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::appstream"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux AppStream (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux_eus:10.0"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)","vendor":"Red Hat"},{"cpes":["cpe:/o:redhat:enterprise_linux:10.2"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:8::crb"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CRB (v. 8)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:rhel_eus:9.6::crb"],"defaultStatus":"affected","product":"Red Hat CodeReady Linux Builder EUS (v.9.6)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:enterprise_linux:9::crb"],"defaultStatus":"affected","product":"Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)","vendor":"Red Hat"},{"cpes":["cpe:/a:redhat:hummingbird:1"],"defaultStatus":"affected","product":"Red Hat Hardened Images","vendor":"Red Hat"}],"datePublic":"2026-06-09T17:05:29.575Z","descriptions":[{"lang":"en","value":"A flaw was found in ASP.NET Core SignalR and Blazor Server. A remote attacker could send a specially crafted MessagePack payload containing deeply nested arrays that trigger excessive recursion and cause a stack overflow. This issue may result in application termination and a denial of service condition"}],"metrics":[{"other":{"content":{"namespace":"https://access.redhat.com/security/updates/classification/","value":"Important"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"NONE","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","version":"3.1"},"format":"CVSS"}],"problemTypes":[{"descriptions":[{"cweId":"CWE-770","description":"Allocation of Resources Without Limits or Throttling","lang":"en","type":"CWE"}]}],"references":[{"tags":["vdb-entry","x_refsource_REDHAT"],"url":"https://access.redhat.com/security/cve/CVE-2026-45591"},{"name":"RHBZ#2487224","tags":["issue-tracking","x_refsource_REDHAT"],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2487224"},{"tags":["x_sadp-csaf-vex"],"url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-45591.json"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:28007"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:28009"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25115"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25111"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25112"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25114"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25110"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25113"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:28227"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:28011"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:28051"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25222"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25220"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:25221"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:26638"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:26994"},{"tags":["vendor-advisory","x_refsource_REDHAT"],"url":"https://access.redhat.com/errata/RHSA-2026:17527"}],"solutions":[{"lang":"en","value":"RHSA-2026:28007: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"},{"lang":"en","value":"RHSA-2026:28009: Red Hat Enterprise Linux AppStream EUS (v. 10.0), Red Hat Enterprise Linux CodeReady Linux Builder EUS (v. 10.0)"},{"lang":"en","value":"RHSA-2026:25115: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"},{"lang":"en","value":"RHSA-2026:25111: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"},{"lang":"en","value":"RHSA-2026:25112: Red Hat Enterprise Linux AppStream (v. 10), Red Hat Enterprise Linux CodeReady Linux Builder (v. 10)"},{"lang":"en","value":"RHSA-2026:25114: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"},{"lang":"en","value":"RHSA-2026:25110: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"},{"lang":"en","value":"RHSA-2026:25113: Red Hat Enterprise Linux AppStream (v. 8), Red Hat Enterprise Linux CRB (v. 8)"},{"lang":"en","value":"RHSA-2026:28227: Red Hat Enterprise Linux AppStream E4S (v.9.4)"},{"lang":"en","value":"RHSA-2026:28011: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"},{"lang":"en","value":"RHSA-2026:28051: Red Hat CodeReady Linux Builder EUS (v.9.6), Red Hat Enterprise Linux AppStream EUS (v.9.6)"},{"lang":"en","value":"RHSA-2026:25222: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"},{"lang":"en","value":"RHSA-2026:25220: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"},{"lang":"en","value":"RHSA-2026:25221: Red Hat Enterprise Linux AppStream (v. 9), Red Hat Enterprise Linux CodeReady Linux Builder (v. 9)"},{"lang":"en","value":"RHSA-2026:26638: Red Hat Hardened Images"},{"lang":"en","value":"RHSA-2026:26994: Red Hat Hardened Images"},{"lang":"en","value":"RHSA-2026:17527: Red Hat Hardened Images"}],"timeline":[{"lang":"en","time":"2026-06-09T18:07:51.180Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-06-09T17:05:29.575Z","value":"Made public."}],"title":"dotnet: ASP.NET Core: Denial of Service via uncontrolled resource consumption","workarounds":[{"lang":"en","value":"Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the relevant security updates when they become available."}],"x_adpType":"supplier","x_generator":{"engine":"sadp-cli 1.0.0"},"providerMetadata":{"orgId":"0b0ca135-0b70-47e7-9f44-1890c2a1c46c","shortName":"redhat-SADP","dateUpdated":"2026-06-30T12:10:20.250Z"}}]}}