DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26130: CVE-2026-26130: Unauthenticated Denial of Service in ASP.NET Core SignalR via Resource Exhaustion

#security #cve #cybersecurity

CVE-2026-26130: Unauthenticated Denial of Service in ASP.NET Core SignalR via Resource Exhaustion

Vulnerability ID: CVE-2026-26130
CVSS Score: 7.5
Published: 2026-03-11

A high-severity vulnerability in ASP.NET Core SignalR allows unauthenticated attackers to cause a Denial of Service (DoS). By sending specially crafted network messages with maliciously large length headers, an attacker forces the server to allocate excessive memory before validation occurs, leading to heap exhaustion and application crashes.

TL;DR

Unauthenticated remote DoS in ASP.NET Core SignalR via uncontrolled memory allocation (CWE-770) during message parsing. Administrators must patch to version 8.0.25, 9.0.14, or 10.0.4.

⚠️ Exploit Status: POC

Technical Details

  • CVE ID: CVE-2026-26130
  • CVSSv3.1: 7.5 (High)
  • CWE: CWE-770
  • Attack Vector: Network (Unauthenticated)
  • Impact: Denial of Service (Process Crash)
  • Exploit Status: Proof of Concept Only
  • EPSS Score: 0.01273 (1.27%)

Affected Systems

  • ASP.NET Core SignalR
  • ASP.NET Core HttpSys Server
  • ASP.NET Core: < 8.0.25 (Fixed in: 8.0.25)
  • ASP.NET Core: >= 9.0.0, < 9.0.14 (Fixed in: 9.0.14)
  • ASP.NET Core: >= 10.0.0, < 10.0.4 (Fixed in: 10.0.4)

Code Analysis

Commit: 77501eb

Serialization fix: Added orchestration logic to limit parallel builds and restore operations.

Commit: 4ed9263

HttpSys fix: Replaced Handle.Dispose() with Handle.SetHandleAsInvalid() to prevent handle race conditions.

Commit: 3310aad

Logging crash fix: Resolved Event ID mismatch and bad merge in certificate management logging.

Mitigation Strategies

  • Update the .NET runtime and ASP.NET Core SDK to patched versions.
  • Deploy WAF rules to inspect SignalR protocol frames for anomalous length headers.
  • Implement strict memory limits on application containers to prevent node-level resource exhaustion.

Remediation Steps:

  1. Identify all hosts running ASP.NET Core 8.0, 9.0, or 10.0 utilizing SignalR.
  2. Download and install the March 2026 Patch Tuesday updates (8.0.25, 9.0.14, 10.0.4).
  3. Restart the application server processes (e.g., Kestrel, IIS Application Pools) to load the updated libraries.

References

Read the full report for CVE-2026-26130 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)