CVE-2026-42899 HIGH

CVE-2026-42899: ASP.NET Core Denial of Service Vulnerability

Vendor Microsoft

Product .NET 10.0

Weakness CWE-835

Published May 12, 2026

Last update June 9, 2026

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

What the vulnerability does

01Description

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.

Key dates

May 12, 2026 CVE published

June 9, 2026 Record updated

External resources

Related vulnerabilities

CVE CVE-2026-42899

CWE CWE-835

CVSS 7.5 / HIGH

Vendor Microsoft

Product .NET 10.0

Affected ≥ 10.0.0 and < 10.0.8

Vendor Microsoft

Product .NET 8.0

Affected ≥ 8.0.0 and < 8.0.27

Vendor Microsoft

Product .NET 9.0

Affected ≥ 9.0.0 and < 9.0.16