CVE-2026-50527: Fix .NET DoS With .NET 8.0.29, 9.0.18 or 10.0.6

CVE-2026-50527 exposes supported versions of .NET and .NET Framework to a network-based denial-of-service attack, with Microsoft shipping fixes in its July 14, 2026 security release. The flaw requires no authentication, privileges, or user interaction, making prompt patching particularly important for servers that process untrusted network input.
Microsoft rates the vulnerability Important, assigning it a CVSS 3.1 base score of 7.5. Detailed in the Microsoft Security Response Center advisory and corroborated by the National Vulnerability Database, CVE-2026-50527 stems from a stack-based buffer overflow that can terminate or otherwise deny access to an affected service.
The vulnerability is not limited to the legacy .NET Framework bundled with Windows. Microsoft's affected-product record also covers current .NET releases and supported Visual Studio servicing channels, so administrators need to check operating-system updates, development environments, and application runtime deployments.

Cybersecurity-themed .NET migration graphic showing upgrades, containers, shields, and buffer overflow warnings.A Network Attack With Availability as the Target​

Microsoft's CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. In practical terms, an attacker can reach the vulnerable component over a network, does not need an account, and does not have to persuade a user to open a file or visit a website.
The attack complexity is rated low, indicating that specialized conditions are not required once an attacker can communicate with an exposed application using the affected code. Microsoft assigns no confidentiality or integrity impact, meaning the published assessment does not describe data theft, code execution, or unauthorized data modification.
Availability impact, however, is rated high. Successful exploitation could disrupt the affected process or service, potentially allowing an attacker to repeat the condition and keep a public-facing workload unavailable.
The underlying weakness is classified as CWE-121, a stack-based buffer overflow. While buffer overflows are often associated with arbitrary code execution, Microsoft's assessment for this specific flaw stops at denial of service. Administrators should therefore avoid treating the weakness category alone as proof that remote code execution is possible.
Microsoft has marked the report confidence as confirmed. That designation means the vendor has sufficient technical evidence to verify the vulnerability rather than merely acknowledging a suspected or theoretical problem.
As of the July 14 publication, Microsoft listed CVE-2026-50527 as neither publicly disclosed nor exploited in attacks. SANS Internet Storm Center's July Patch Tuesday inventory likewise recorded no known exploitation or prior disclosure. That lowers the immediate threat level compared with a zero-day, but it does not reduce the exposed service's potential availability impact.

The Affected Range Spans Old Windows Servers and Current .NET​

Microsoft's product data identifies vulnerable .NET Framework installations across Windows client and server generations. The list stretches from .NET Framework 3.5 on Windows Server 2012 and Server 2012 R2 through .NET Framework 4.8.1 on Windows 11 26H1 and Windows Server 2025.
Affected combinations include:
  • .NET Framework 3.5 on Windows Server 2012 and Windows Server 2012 R2 is affected below the corrected component builds 2.0.50727.8983 and 3.0.30729.8978.
  • .NET Framework 3.5 and 4.7.2 installations on Windows 10 versions 1607 and 1809, Windows Server 2016, and Windows Server 2019 are affected below the listed July servicing builds.
  • .NET Framework 3.5 and 4.8 installations are affected across Windows 10 1809, 21H2, and 22H2, plus Windows Server 2019 and Windows Server 2022.
  • .NET Framework 3.5 and 4.8.1 installations are affected on supported Windows 10 and Windows 11 releases, including Windows 11 23H2, 24H2, 25H2, and 26H1, as well as Windows Server 2022 and Windows Server 2025.
  • Older .NET Framework 4.6.2 through 4.7.2 deployments remain in the affected data for Windows Server 2012 and Server 2012 R2.
For .NET Framework 4.8.1, Microsoft identifies versions below build 4.8.9339.0 as vulnerable. For Framework 4.8, the corrected threshold is 4.8.4803.0, while affected 4.7-family installations must move to at least 4.7.4143.0.
Current cross-platform .NET deployments also require attention. Microsoft lists .NET 8 releases earlier than 8.0.29, .NET 9 releases earlier than 9.0.18, and .NET 10 releases earlier than 10.0.6 as affected.
That distinction matters because Windows Update does not necessarily manage every .NET runtime used by an organization. Framework components installed as part of Windows are generally serviced through Windows and Microsoft Update, but standalone .NET runtimes, software development kits, containers, and self-contained applications may require separate action.

Visual Studio Carries Its Own Servicing Thresholds​

Visual Studio installations appear in Microsoft's affected-product record because the development environment can install and use impacted .NET components. The corrected versions are Visual Studio 2022 17.12.22, Visual Studio 2022 17.14.36, and Visual Studio 2026 18.7.4.
Developers should update through Visual Studio Installer rather than assuming that the monthly Windows cumulative update covers the IDE. Build agents and offline development systems deserve the same check, particularly where organizations retain multiple servicing channels to support older projects.
Runtime inventory is equally important on continuous-integration infrastructure. A patched Visual Studio installation does not automatically prove that every separately installed .NET SDK or runtime has crossed the safe version threshold.
Self-contained .NET applications present another deployment wrinkle. These applications carry their own runtime instead of using only a centrally installed shared runtime, so updating the host machine's .NET installation may leave the application's bundled copy unchanged. Application owners may need to rebuild and redeploy those packages with a corrected .NET release.
Container images create a similar problem. Updating the host operating system does not replace vulnerable runtime layers inside existing images, and restarting an old container merely reloads the same affected files. Teams should rebuild from patched .NET base images and replace running containers rather than relying on host patch status.

Patch Priority Follows Exposure, Not Just the Score​

The most urgent systems are internet-facing services, APIs, gateways, and line-of-business applications that accept attacker-controlled network traffic through affected .NET components. Because Microsoft says exploitation needs no privileges or user interaction, access controls inside the application may not protect a service if vulnerable processing occurs before authentication.
Administrators should first deploy the July 2026 Windows and .NET Framework security updates to externally reachable servers, then verify standalone .NET and Visual Studio versions against Microsoft's fixed releases. Staging remains appropriate for business-critical applications, but delaying solely because the issue is classified as denial of service ignores the possibility of repeated remote disruption.
Monitoring can provide supporting evidence but is not a substitute for the fix. Operations teams should watch for unexpected .NET process crashes, service restarts, application-pool failures, abrupt increases in malformed requests, and recurring availability incidents originating from the same clients. Those symptoms are not unique to CVE-2026-50527 and should not be treated as definitive proof of exploitation.
The National Vulnerability Database still listed the record as awaiting enrichment on July 15, meaning NIST had not produced an independent CVSS assessment. Microsoft's CNA score and affected-product data therefore remain the primary technical basis for deployment decisions.
CVE-2026-50527 is not known to be under active attack, but its low-complexity, unauthenticated network path gives defenders little reason to leave exposed workloads on vulnerable builds. The practical endpoint is clear: bring .NET 8 to 8.0.29, .NET 9 to 9.0.18, .NET 10 to 10.0.6, install the applicable July .NET Framework update, and rebuild any application or container that carries its own runtime.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top