DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-35433: CVE-2026-35433: Heap-Based Buffer Overflow and Privilege Escalation in .NET Desktop Runtime

#security #cve #cybersecurity

CVE-2026-35433: Heap-Based Buffer Overflow and Privilege Escalation in .NET Desktop Runtime

Vulnerability ID: CVE-2026-35433
CVSS Score: 7.3
Published: 2026-05-18

CVE-2026-35433 is a high-severity Elevation of Privilege (EoP) vulnerability affecting the .NET Desktop Runtime. The flaw originates from a heap-based buffer overflow in the Windows Forms and WPF components due to improper input validation and integer overflow during binary data parsing. Successful exploitation allows a local attacker to execute arbitrary code with the privileges of the compromised application.

TL;DR

A local attacker can trigger a heap buffer overflow in .NET Desktop Runtime (WinForms/WPF) by supplying malformed resource files or serialized payloads, potentially resulting in code execution and privilege escalation.

Technical Details

  • Primary CWE: CWE-122 (Heap-based Buffer Overflow)
  • Attack Vector: Local (User Interaction Required)
  • CVSS v3.1 Score: 7.3
  • EPSS Score: 0.00122 (30.67%)
  • Impact: Elevation of Privilege / Arbitrary Code Execution
  • Exploit Status: None (No public PoC)
  • CISA KEV: Not Listed

Affected Systems

  • Windows Desktop environments running .NET applications
  • Systems executing WinForms applications
  • Systems executing WPF applications
  • .NET 10.0: 10.0.0 <= version < 10.0.8 (Fixed in: 10.0.8)
  • .NET 9.0: 9.0.0 <= version < 9.0.16 (Fixed in: 9.0.16)
  • .NET 8.0: 8.0.0 <= version < 8.0.27 (Fixed in: 8.0.27)
  • .NET Framework: 3.5, 4.7.2, 4.8, 4.8.1 (Fixed in: 4.8.9334.0)

Code Analysis

Commit: 09e72ae

Final dependency update advancing to 10.0.7-servicing.26216.111

Mitigation Strategies

  • Apply vendor-provided patches updating the .NET runtime to secure versions.
  • Restrict the processing of untrusted .resx, .ico, and binary-serialized objects from external sources.
  • Implement strict input validation for any application handling external UI resources.

Remediation Steps:

  1. Identify all systems running vulnerable versions of .NET 8.0, 9.0, 10.0, or .NET Framework 3.5 - 4.8.1.
  2. Deploy .NET 10.0.8, 9.0.16, or 8.0.27 to all endpoints and application servers as applicable.
  3. Deploy the May 2026 Cumulative Update for Windows environments running legacy .NET Framework versions.
  4. Restart affected applications and services to ensure the patched runtime libraries are loaded into memory.

References

Read the full report for CVE-2026-35433 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)