DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-32203: CVE-2026-32203: Stack-based Buffer Overflow in .NET Cryptography XML Processing

#security #cve #cybersecurity

CVE-2026-32203: Stack-based Buffer Overflow in .NET Cryptography XML Processing

Vulnerability ID: CVE-2026-32203
CVSS Score: 7.5
Published: 2026-04-14

Microsoft .NET and Visual Studio contain a stack-based buffer overflow vulnerability within the System.Security.Cryptography.Xml library. The flaw occurs due to unbounded recursion when processing deeply nested XML-based cryptographic structures, allowing unauthenticated attackers to cause a Denial of Service (DoS) via process exhaustion.

TL;DR

Unbounded recursion in .NET's XML cryptography processing allows remote attackers to trigger a stack overflow and subsequent Denial of Service by supplying deeply nested XML elements.

Technical Details

  • CWE ID: CWE-121 / CWE-20
  • Attack Vector: Network
  • CVSS 3.1 Base: 7.5
  • EPSS Score: 0.13%
  • Impact: Denial of Service (DoS)
  • Exploit Status: None / Unproven
  • CISA KEV: Not Listed
  • Patch Status: Available

Affected Systems

  • .NET 10.0
  • .NET 9.0
  • .NET 8.0
  • Visual Studio 2022 v17.12
  • Visual Studio 2022 v17.14
  • Microsoft .NET 10.0: <= 10.0.5 (Fixed in: 10.0.6)
  • Microsoft .NET 9.0: <= 9.0.14 (Fixed in: 9.0.15)
  • Microsoft .NET 8.0: <= 8.0.25 (Fixed in: 8.0.26)
  • Microsoft Visual Studio 2022 v17.12: <= 17.12.18 (Fixed in: 17.12.19)
  • Microsoft Visual Studio 2022 v17.14: <= 17.14.29 (Fixed in: 17.14.30)

Code Analysis

Commit: b234b9a

Introduces thread-local depth tracking for XML cryptography parsing to prevent stack overflow conditions.

Mitigation Strategies

  • Apply official vendor patches to update the .NET framework and Visual Studio environments.
  • Implement Web Application Firewall (WAF) rules to detect and drop deeply nested XML payloads.
  • Enforce strict size limits on incoming XML requests to prevent large, nested payloads from reaching the application logic.

Remediation Steps:

  1. Identify all hosts running vulnerable versions of .NET 8.0, 9.0, 10.0, and Visual Studio 2022.
  2. Deploy .NET framework updates 8.0.26, 9.0.15, or 10.0.6 to affected servers.
  3. Update Visual Studio 2022 installations to 17.12.19 or 17.14.30.
  4. Restart the affected .NET processes or IIS worker processes to ensure the updated runtime assemblies are loaded.
  5. Monitor application logs for unhandled CryptographicException events related to recursion depth.

References

Read the full report for CVE-2026-32203 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)