DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-26171: CVE-2026-26171: Denial of Service in .NET System.Security.Cryptography.Xml

#security #cve #cybersecurity

CVE-2026-26171: Denial of Service in .NET System.Security.Cryptography.Xml

Vulnerability ID: CVE-2026-26171
CVSS Score: 7.5
Published: 2026-04-14

Uncontrolled resource consumption and improper restriction of XML External Entity (XXE) references within the .NET System.Security.Cryptography.Xml.EncryptedXml class allow an unauthenticated remote attacker to cause a Denial of Service (DoS) via maliciously crafted encrypted XML payloads.

TL;DR

A vulnerability in .NET's EncryptedXml class allows remote attackers to trigger severe resource exhaustion and Denial of Service by submitting crafted XML payloads containing uncontrolled recursive elements or blocking network paths.

Technical Details

  • CWE ID: CWE-400, CWE-611
  • Attack Vector: Network
  • CVSS Score: 7.5 (High)
  • EPSS Score: 0.00589 (69.20%)
  • Impact: Denial of Service (Availability)
  • Exploit Status: None observed in the wild
  • CISA KEV: No

Affected Systems

  • .NET 8.0
  • .NET 9.0
  • .NET 10.0
  • .NET 8.0: 8.0.0 <= version < 8.0.26 (Fixed in: 8.0.26)
  • .NET 9.0: 9.0.0 <= version < 9.0.15 (Fixed in: 9.0.15)
  • .NET 10.0: 10.0.0 <= version < 10.0.6 (Fixed in: 10.0.6)

Code Analysis

Commit: b234b9a

Fixes for System.Security.Cryptography.Xml components

Commit: 618aa18

Build Infrastructure Update

Mitigation Strategies

  • Apply official .NET framework updates
  • Manually harden XmlReaderSettings in custom XML parsing logic
  • Implement application-level request timeouts and rate limiting
  • Use AppContext switches carefully if backward compatibility is required

Remediation Steps:

  1. Identify all hosts running vulnerable versions of .NET 8.0, 9.0, or 10.0.
  2. Deploy the April 2026 security updates to upgrade to versions 8.0.26, 9.0.15, or 10.0.6 respectively.
  3. Restart application pools and services to ensure the new runtime binaries are loaded.
  4. Monitor application logs for CryptographicException related to recursion limits.
  5. If necessary for legacy compatibility, configure the AppContext switches to adjust recursion depth or allow transforms.

References

Read the full report for CVE-2026-26171 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)