DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-42899: CVE-2026-42899: Denial of Service via Infinite Loops in ASP.NET Core Subsystems

#security #cve #cybersecurity

CVE-2026-42899: Denial of Service via Infinite Loops in ASP.NET Core Subsystems

Vulnerability ID: CVE-2026-42899
CVSS Score: 7.5
Published: 2026-05-18

CVE-2026-42899 is a high-severity Denial of Service (DoS) vulnerability in the Microsoft ASP.NET Core framework, characterized by multiple instances of a 'Loop with Unreachable Exit Condition' (CWE-835). An unauthenticated remote attacker can trigger 100% CPU utilization by supplying specially crafted requests that exploit logic errors in request parsing, data protection, minimal APIs, and caching subsystems.

TL;DR

Unauthenticated remote Denial of Service in ASP.NET Core due to infinite loops in core subsystems, remediated in .NET 8.0.27, 9.0.16, and 10.0.8.

Technical Details

  • CWE ID: CWE-835
  • Attack Vector: Network
  • CVSS v3.1: 7.5 (High)
  • EPSS: 0.00047 (0.05%)
  • Impact: High Availability (Denial of Service)
  • Exploit Status: None Public
  • CISA KEV: Not Listed

Affected Systems

  • ASP.NET Core on .NET 8.0
  • ASP.NET Core on .NET 9.0
  • ASP.NET Core on .NET 10.0
  • .NET 8.0: 8.0.0 <= version < 8.0.27 (Fixed in: 8.0.27)
  • .NET 9.0: 9.0.0 <= version < 9.0.16 (Fixed in: 9.0.16)
  • .NET 10.0: 10.0.0 <= version < 10.0.8 (Fixed in: 10.0.8)

Code Analysis

Commit: c5fa707

Fix for DataProtection MAC validation boundary calculation

Commit: 31515a4

Refactor of RequestDelegateFactory binding failure logic

Commit: 3ec3980

Fix HybridCache state transitions and waiter clearance

Mitigation Strategies

  • Update .NET runtime and SDK to patched versions
  • Update JavaScript dependencies (lodash, serialize-javascript) for Blazor/SPA applications
  • Implement WAF rules to pre-validate and drop malformed API parameters
  • Enforce connection rate limits and strict request timeouts

Remediation Steps:

  1. Identify all systems running .NET 8.0, 9.0, or 10.0
  2. Download and install .NET updates 8.0.27, 9.0.16, or 10.0.8
  3. Rebuild self-contained applications with the updated .NET SDK
  4. Update package.json dependencies to lodash >=4.18.0 and serialize-javascript >=7.0.5
  5. Deploy updated application artifacts to production environments
  6. Monitor application worker process CPU utilization to verify vulnerability resolution

References

Read the full report for CVE-2026-42899 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)