{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26130", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-02-11T15:52:13.912Z", "datePublished": "2026-03-10T17:05:22.367Z", "dateUpdated": "2026-04-14T16:36:42.136Z"}, "containers": {"cna": {"title": "ASP.NET Core Denial of Service Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "versionStartIncluding": "8.0", "versionEndExcluding": "8.0.25"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.0", "versionEndExcluding": "9.0.14"}, {"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0", "versionEndExcluding": "10.0.4"}]}]}], "affected": [{"vendor": "Microsoft", "product": "ASP.NET Core 10.0", "versions": [{"version": "10.0", "lessThan": "10.0.4", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "ASP.NET Core 8.0", "versions": [{"version": "8.0", "lessThan": "8.0.25", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "ASP.NET Core 9.0", "versions": [{"version": "9.0", "lessThan": "9.0.14", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-770: Allocation of Resources Without Limits or Throttling", "lang": "en-US", "type": "CWE", "cweId": "CWE-770"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:42.136Z"}, "references": [{"name": "ASP.NET Core Denial of Service Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T19:49:23.302596Z", "id": "CVE-2026-26130", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:49:36.457Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26130", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-10T19:49:23.302596Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:49:33.089Z"}}], "cna": {"title": "ASP.NET Core Denial of Service Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 7.5, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "ASP.NET Core 10.0", "versions": [{"status": "affected", "version": "10.0", "lessThan": "10.0.4", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "ASP.NET Core 8.0", "versions": [{"status": "affected", "version": "8.0", "lessThan": "8.0.25", "versionType": "custom"}]}, {"vendor": "Microsoft", "product": "ASP.NET Core 9.0", "versions": [{"status": "affected", "version": "9.0", "lessThan": "9.0.14", "versionType": "custom"}]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130", "name": "ASP.NET Core Denial of Service Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "8.0.25", "versionStartIncluding": "8.0"}, {"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "9.0.14", "versionStartIncluding": "9.0"}, {"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "10.0.4", "versionStartIncluding": "10.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:42.136Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26130", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:36:42.136Z", "dateReserved": "2026-02-11T15:52:13.912Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T17:05:22.367Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "C73D9E7E-34AD-4F27-9E3F-FB7266954EA5", "versionEndExcluding": "8.0.25", "versionStartIncluding": "8.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "8E74546B-ADCA-435B-B663-16D77D2BB2CA", "versionEndExcluding": "9.0.14", "versionStartIncluding": "9.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*", "matchCriteriaId": "17646153-A698-4C2B-9A24-BD82095E5405", "versionEndExcluding": "10.0.4", "versionStartIncluding": "10.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network."}, {"lang": "es", "value": "Asignaci\u00f3n de recursos sin l\u00edmites ni limitaci\u00f3n en ASP.NET Core permite a un atacante no autorizado denegar el servicio a trav\u00e9s de una red."}], "id": "CVE-2026-26130", "lastModified": "2026-04-02T13:58:49.900", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-10T18:18:42.223", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2026:4450", "cpe": "cpe:/o:redhat:enterprise_linux:10.1", "package": "dotnet9.0-0:9.0.115-1.el10_1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4451", "cpe": "cpe:/o:redhat:enterprise_linux:10.1", "package": "dotnet8.0-0:8.0.125-1.el10_1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4453", "cpe": "cpe:/o:redhat:enterprise_linux:10.1", "package": "dotnet10.0-0:10.0.104-1.el10_1", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4443", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet9.0-0:9.0.115-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4455", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet8.0-0:8.0.125-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4458", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "dotnet10.0-0:10.0.104-1.el8_10", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4445", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet10.0-0:10.0.104-1.el9_7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4454", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet8.0-0:8.0.125-1.el9_7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2026-03-12T00:00:00Z"}, {"advisory": "RHSA-2026:4456", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "dotnet9.0-0:9.0.115-1.el9_7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2026-03-12T00:00:00Z"}], "bugzilla": {"description": "asp.net: ASP.NET Core: Denial of Service via uncontrolled resource allocation", "id": "2446134", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446134"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status": "verified"}, "cwe": "CWE-770", "details": ["A flaw was found in ASP.NET Core. This vulnerability allows an unauthorized attacker to perform a Denial of Service (DoS) attack over a network by allocating resources without limits or throttling. This can lead to the unavailability of the service for legitimate users."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, configure resource limits and throttling for ASP.NET Core applications. This can be achieved by implementing request limits within the application configuration or by utilizing resource quotas provided by container orchestration platforms like OpenShift/Kubernetes. Additionally, web servers acting as reverse proxies can be configured to rate limit incoming requests.\nExample for OpenShift/Kubernetes ResourceQuotas:\n```yaml\napiVersion: v1\nkind: ResourceQuota\nmetadata:\nname: aspnet-core-quotas\nspec:\nhard:\nrequests.cpu: \"1\"\nrequests.memory: \"1Gi\"\nlimits.cpu: \"2\"\nlimits.memory: \"2Gi\"\n```\nConsult ASP.NET Core documentation for application-level request throttling configurations. Ensure that any changes to resource limits or throttling are thoroughly tested to avoid unintended service disruptions. A service restart or reload may be required for changes to take effect."}, "name": "CVE-2026-26130", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet6.0", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "dotnet7.0", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-10T17:05:22Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-26130\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26130\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130"], "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[10.0,10.0.4)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ASP.NET Core 10.0", "source": "cna", "vendor": "Microsoft"}, "product": "asp.net_core", "vendor": "microsoft"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[8.0,8.0.25)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ASP.NET Core 8.0", "source": "cna", "vendor": "Microsoft"}, "product": "asp.net_core", "vendor": "microsoft"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[9.0,9.0.14)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "ASP.NET Core 9.0", "source": "cna", "vendor": "Microsoft"}, "product": "asp.net_core", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-04-21T23:36:27.061512+00:00", "value": {"mitigation_remediation": ["Install the latest security update for Microsoft ASP.NET Core 8.0, 9.0, and 10.0 from Microsoft\u2019s update guide.", "If a patch is not yet available, configure application or server\u2011level resource limits or enable throttling to reduce the impact of potential DoS attacks.", "As a temporary countermeasure, filter or block traffic to the vulnerable endpoints using a firewall or Web Application Firewall and monitor application performance for signs of resource exhaustion."], "summary": {"action": "Apply Patch", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Affected products are Microsoft ASP.NET Core 8.0, 9.0, and 10.0. The flaw applies to all these framework versions and, by extension, any web applications built on them that do not implement their own resource limits.", "description_and_impact": "The vulnerability in ASP.NET Core is caused by the allocation of resources without limits or throttling, which allows an unauthorized attacker to deny service over a network. This creates a high\u2011impact denial of service scenario stemming from a resource exhaustion weakness identified as CWE\u2011770.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high severity, while the EPSS score of 3% suggests a relatively low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Exploitation would occur remotely via the network, where an attacker sends crafted requests to the application, causing sustained resource consumption that leads to service unavailability. No specific authentication or privileged access is required, and the attack vector requires only network connectivity to the vulnerable endpoints."}}}}, "created": "2026-03-11T11:45:09.600777+00:00", "updated": "2026-04-21T23:45:02.962735+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$asp.net_core"]}