DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32175: CVE-2026-32175: Absolute Path Traversal and Arbitrary File Write in .NET Core Archive Extraction

#security #cve #cybersecurity

CVE-2026-32175: Absolute Path Traversal and Arbitrary File Write in .NET Core Archive Extraction

Vulnerability ID: CVE-2026-32175
CVSS Score: 7.5
Published: 2026-05-12

CVE-2026-32175 is a high-severity tampering vulnerability affecting .NET Core versions 8.0, 9.0, and 10.0 on Windows platforms. The vulnerability stems from an Absolute Path Traversal (CWE-36) flaw in the extraction mechanisms handling NuGet packages and application bundles. An unauthenticated remote attacker can exploit this weakness by providing a specially crafted archive file. The extraction logic fails to sanitize archive entry names containing absolute paths, leading to arbitrary file writes on the host system. Successful exploitation allows the attacker to compromise application integrity by overwriting critical system files or planting malicious executables.

TL;DR

A path traversal vulnerability in .NET Core's archive extraction logic allows unauthenticated attackers to write arbitrary files to the filesystem by crafting malicious NuGet packages or application bundles.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-36
  • Attack Vector: Network
  • CVSS Score: 7.5 (High)
  • Impact: High Integrity (Arbitrary File Write)
  • Exploit Status: Proof of Concept
  • KEV Status: Not Listed

Affected Systems

  • Windows x86
  • Windows x64
  • Windows ARM
  • Windows ARM64
  • CI/CD Environments executing vulnerable .NET SDKs
  • .NET 10.0: 10.0.0 to 10.0.7 (Fixed in: 10.0.8)
  • .NET 9.0: 9.0.0 to 9.0.15 (Fixed in: 9.0.16)
  • .NET 8.0: 8.0.0 to 8.0.26 (Fixed in: 8.0.27)
  • Visual Studio 2026 (v18.5): < 18.5.3 (Fixed in: 18.5.3)
  • Visual Studio 2022 (v17.14): < 17.14.31 (Fixed in: 17.14.31)

Code Analysis

Commit: 85dcf7f

Dependency Update implementing stricter path normalization and canonicalization checks.

Mitigation Strategies

  • Update .NET SDK and Runtimes to the latest available servicing releases.
  • Update all instances of Visual Studio to integrate the patched SDK versions.
  • Implement strict package source mapping to restrict dependency resolution to trusted registries.
  • Recompile and redeploy all existing self-contained applications built with affected .NET versions.

Remediation Steps:

  1. Identify all systems running .NET 8.0, 9.0, or 10.0 using inventory management tools.
  2. Execute dotnet --info on hosts to determine the current active runtime versions.
  3. Deploy .NET versions 10.0.8, 9.0.16, or 8.0.27 to the affected systems.
  4. Trigger rebuild pipelines for self-contained applications ensuring the CI/CD runners possess the updated SDK.
  5. Validate the patch deployment by re-running the version verification commands.

References

Read the full report for CVE-2026-32175 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)