DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33116: CVE-2026-33116: Denial of Service via XML Encryption Circular References in .NET

#security #cve #cybersecurity

CVE-2026-33116: Denial of Service via XML Encryption Circular References in .NET

Vulnerability ID: CVE-2026-33116
CVSS Score: 7.5
Published: 2026-04-14

CVE-2026-33116 is a critical Denial of Service (DoS) vulnerability in the .NET System.Security.Cryptography.Xml namespace. It allows an unauthenticated remote attacker to cause CPU exhaustion and thread hangs by supplying a crafted XML document with circular encrypted references.

TL;DR

Unauthenticated DoS in .NET XML cryptography via infinite loop parsing circular references.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-835
  • Attack Vector: Network
  • CVSS Score: 7.5 (High)
  • Impact: Denial of Service (DoS)
  • Exploit Status: Proof of Concept Available
  • Authentication Required: None

Affected Systems

  • .NET 10.0
  • .NET 9.0
  • .NET 8.0
  • .NET Framework 4.8.1
  • .NET Framework 4.8
  • .NET Framework 3.5
  • .NET 10.0: 10.0.0 to < 10.0.6 (Fixed in: 10.0.6)
  • .NET 9.0: 9.0.0 to < 9.0.15 (Fixed in: 9.0.15)
  • .NET 8.0: 8.0.0 to < 8.0.26 (Fixed in: 8.0.26)
  • .NET Framework 4.8.1: < 4.8.9332.0 (Fixed in: 4.8.9332.0)
  • .NET Framework 4.8: < 4.8.4801.0 (Fixed in: 4.8.4801.0)

Code Analysis

Commit: b234b9a

Fix for CVE-2026-33116: Add recursion depth tracking to XML encryption processing

Mitigation Strategies

  • Apply vendor-supplied security patches to the .NET runtime and .NET Framework.
  • Configure AppContext switches to manually restrict recursion depth if patching is delayed.
  • Implement network-level rate limiting and payload size restrictions for incoming XML requests.
  • Validate and sanitize XML structures before passing them to cryptographic APIs.

Remediation Steps:

  1. Identify all applications running vulnerable versions of .NET 8.0, 9.0, 10.0, or .NET Framework.
  2. Deploy the April 2026 .NET security updates via Windows Update, WSUS, or package managers.
  3. Restart affected services to ensure the patched runtime is loaded into memory.
  4. Verify the update installation by checking the runtime version using the dotnet --info command.

References

Read the full report for CVE-2026-33116 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)