Microsoft has patched CVE-2026-50651, a high-severity .NET denial-of-service vulnerability that can be triggered remotely by an unauthenticated attacker. Administrators running .NET-backed network services should move to .NET 8.0.29, .NET 9.0.18, or .NET 10.0.10 and rebuild or redeploy applications whose runtime is packaged with the app.
Detailed in the Microsoft Security Response Center advisory published July 14, 2026, the flaw carries a CVSS 3.1 base score of 7.5. Microsoft describes the underlying weakness as an allocation of resources without effective limits or throttling, allowing an unauthorized attacker to exhaust resources over a network and deny service.
The vulnerability does not provide code execution, privilege escalation, or access to protected data. Its practical consequence is availability loss: a vulnerable process can be driven into a resource-exhaustion condition, potentially making an application or service unavailable until it recovers or is restarted.
Microsoft’s CVSS vector rates CVE-2026-50651 as network-accessible, low-complexity, and requiring neither privileges nor user interaction. Confidentiality and integrity are unaffected, but the availability impact is rated high.
That combination matters for internet-facing ASP.NET Core services, APIs, gateways, and other applications that process attacker-controlled network input. An attacker would not need an existing account or help from a user, although the vulnerable code path still must be exposed by the application.
The vulnerability is classified under resource allocation without limits or throttling. This family of defects typically arises when software allocates memory, processor time, threads, handles, or another finite resource in response to input without enforcing a sufficiently strict ceiling. Microsoft has not publicly documented the precise request shape or affected internal component, limiting defenders’ ability to create a narrowly targeted filter.
Microsoft’s scoring also marks the report confidence as confirmed. That field is not a second severity score and does not mean attacks have been observed. It indicates that Microsoft considers the vulnerability’s existence and technical basis established rather than speculative.
At publication, the CVSS vector marked exploit-code maturity as unproven and remediation as an official fix. In operational terms, administrators have a vendor patch but should not rely on the absence of public exploit code as a long-term defense.
Visual Studio 2022 and Visual Studio 2026 are also identified among affected Microsoft products in published vulnerability data. Development workstations and build agents should receive their corresponding Visual Studio servicing updates, particularly where those systems host test servers or execute untrusted workloads.
Installing a newer SDK on a developer’s workstation does not automatically replace every runtime distributed with an application. The correct remediation depends on the application’s deployment model.
A framework-dependent application uses a separately installed runtime and will ordinarily pick up the servicing update when the host runtime is upgraded. A self-contained application carries its own .NET runtime, meaning its publisher must rebuild and redeploy it using the corrected servicing version. Single-file deployments and containers deserve the same scrutiny because their runtime may be frozen inside an artifact produced before July 14.
Administrators can begin by running
Application owners should also inspect deployment manifests, pipeline definitions, Dockerfiles, and base-image digests. A Dockerfile referencing a floating tag may receive an updated image during the next clean build, but an existing image in a private registry remains vulnerable until it is rebuilt and replaced. Build caches can similarly preserve an older runtime even after a base tag has moved.
For IIS-hosted ASP.NET Core applications, administrators should update the relevant Hosting Bundle and confirm that application pools have restarted against the corrected runtime. Planned service restarts are preferable to discovering during an attack that a supposedly updated worker process is still using files loaded before maintenance.
Where immediate deployment is impossible, conventional denial-of-service controls can reduce exposure but should be treated as temporary safeguards. Request-size limits, connection ceilings, reverse-proxy throttling, authenticated access, web application firewall rules, memory limits, and automated process recovery may constrain the effect of abusive traffic. Without Microsoft publishing the exact trigger, however, defenders cannot assume that generic HTTP rate limiting completely blocks the vulnerable path.
Monitoring should focus on sudden memory growth, CPU saturation, thread-pool pressure, repeated worker-process restarts, container out-of-memory terminations, and unexplained availability drops. Those signals do not uniquely identify exploitation of CVE-2026-50651, but they can expose attempts to drive a service into resource exhaustion.
That broader release makes selective patching impractical. Organizations should test and deploy the complete servicing release for each supported branch rather than attempting to isolate the CVE-2026-50651 fix. The corrected runtimes include both security and reliability changes, and Microsoft’s support model expects customers to remain on the latest patch level within their chosen .NET feature line.
The immediate task is therefore concrete: update installed runtimes, patch Visual Studio, rebuild self-contained applications, refresh container images, and restart long-running services. Until those artifacts are replaced, an application can remain exposed even when the Windows host itself reports that July’s operating-system updates installed successfully.
Detailed in the Microsoft Security Response Center advisory published July 14, 2026, the flaw carries a CVSS 3.1 base score of 7.5. Microsoft describes the underlying weakness as an allocation of resources without effective limits or throttling, allowing an unauthorized attacker to exhaust resources over a network and deny service.
The vulnerability does not provide code execution, privilege escalation, or access to protected data. Its practical consequence is availability loss: a vulnerable process can be driven into a resource-exhaustion condition, potentially making an application or service unavailable until it recovers or is restarted.
A Network Attack With No Login Barrier
Microsoft’s CVSS vector rates CVE-2026-50651 as network-accessible, low-complexity, and requiring neither privileges nor user interaction. Confidentiality and integrity are unaffected, but the availability impact is rated high.That combination matters for internet-facing ASP.NET Core services, APIs, gateways, and other applications that process attacker-controlled network input. An attacker would not need an existing account or help from a user, although the vulnerable code path still must be exposed by the application.
The vulnerability is classified under resource allocation without limits or throttling. This family of defects typically arises when software allocates memory, processor time, threads, handles, or another finite resource in response to input without enforcing a sufficiently strict ceiling. Microsoft has not publicly documented the precise request shape or affected internal component, limiting defenders’ ability to create a narrowly targeted filter.
Microsoft’s scoring also marks the report confidence as confirmed. That field is not a second severity score and does not mean attacks have been observed. It indicates that Microsoft considers the vulnerability’s existence and technical basis established rather than speculative.
At publication, the CVSS vector marked exploit-code maturity as unproven and remediation as an official fix. In operational terms, administrators have a vendor patch but should not rely on the absence of public exploit code as a long-term defense.
The Fix Arrives in Three .NET Servicing Releases
The .NET team’s July 2026 servicing announcement lists CVE-2026-50651 as affecting the currently serviced .NET 8, .NET 9, and .NET 10 branches. Microsoft released the following corrected versions on July 14:- .NET 8 installations should be updated to 8.0.29, with SDK 8.0.423 available for development systems.
- .NET 9 installations should be updated to 9.0.18, with SDK 9.0.316 included in the release.
- .NET 10 installations should be updated to 10.0.10, supplied through SDK 10.0.302 or 10.0.110 depending on the installed SDK feature band.
Visual Studio 2022 and Visual Studio 2026 are also identified among affected Microsoft products in published vulnerability data. Development workstations and build agents should receive their corresponding Visual Studio servicing updates, particularly where those systems host test servers or execute untrusted workloads.
Installing a newer SDK on a developer’s workstation does not automatically replace every runtime distributed with an application. The correct remediation depends on the application’s deployment model.
A framework-dependent application uses a separately installed runtime and will ordinarily pick up the servicing update when the host runtime is upgraded. A self-contained application carries its own .NET runtime, meaning its publisher must rebuild and redeploy it using the corrected servicing version. Single-file deployments and containers deserve the same scrutiny because their runtime may be frozen inside an artifact produced before July 14.
Inventory Must Reach Beyond Windows Update
Windows Update may service Microsoft-managed .NET components and Visual Studio installations, but it cannot find every runtime copied into an application directory, container layer, build cache, or software appliance. That makes CVE-2026-50651 primarily an application-platform inventory problem rather than a simple count of patched Windows endpoints.Administrators can begin by running
dotnet --list-runtimes and dotnet --list-sdks on servers and build systems. The output should be checked for .NET 8 versions earlier than 8.0.29, .NET 9 versions earlier than 9.0.18, and .NET 10 versions earlier than 10.0.10.Application owners should also inspect deployment manifests, pipeline definitions, Dockerfiles, and base-image digests. A Dockerfile referencing a floating tag may receive an updated image during the next clean build, but an existing image in a private registry remains vulnerable until it is rebuilt and replaced. Build caches can similarly preserve an older runtime even after a base tag has moved.
For IIS-hosted ASP.NET Core applications, administrators should update the relevant Hosting Bundle and confirm that application pools have restarted against the corrected runtime. Planned service restarts are preferable to discovering during an attack that a supposedly updated worker process is still using files loaded before maintenance.
Where immediate deployment is impossible, conventional denial-of-service controls can reduce exposure but should be treated as temporary safeguards. Request-size limits, connection ceilings, reverse-proxy throttling, authenticated access, web application firewall rules, memory limits, and automated process recovery may constrain the effect of abusive traffic. Without Microsoft publishing the exact trigger, however, defenders cannot assume that generic HTTP rate limiting completely blocks the vulnerable path.
Monitoring should focus on sudden memory growth, CPU saturation, thread-pool pressure, repeated worker-process restarts, container out-of-memory terminations, and unexplained availability drops. Those signals do not uniquely identify exploitation of CVE-2026-50651, but they can expose attempts to drive a service into resource exhaustion.
July’s Broader .NET Patch Set Raises the Stakes
CVE-2026-50651 shipped as part of an unusually large July .NET servicing bundle. Microsoft’s .NET blog lists numerous denial-of-service, remote-code-execution, privilege, tampering, spoofing, and security-feature-bypass fixes across .NET 8, .NET 9, and .NET 10.That broader release makes selective patching impractical. Organizations should test and deploy the complete servicing release for each supported branch rather than attempting to isolate the CVE-2026-50651 fix. The corrected runtimes include both security and reliability changes, and Microsoft’s support model expects customers to remain on the latest patch level within their chosen .NET feature line.
The immediate task is therefore concrete: update installed runtimes, patch Visual Studio, rebuild self-contained applications, refresh container images, and restart long-running services. Until those artifacts are replaced, an application can remain exposed even when the Windows host itself reports that July’s operating-system updates installed successfully.
References
- Primary source: MSRC
Published: 2026-07-14T07:00:00-07:00
Security Update Guide - Microsoft Security Response Center
msrc.microsoft.com
- Related coverage: vuln.today
Denial of Service - Attack Technique - vuln.today
Denial of Service attacks render applications or systems unavailable by overwhelming resources or triggering failure conditions.vuln.today