HIGH 7.5

CVE-2026-45591: ASP.NET Core Remote Denial-of-Service Vulnerability – Patch Guidance

CVE-2026-45591 is a denial-of-service vulnerability in ASP.NET Core that allows attackers on a network to exhaust system resources and crash or degrade application availability. An attacker can send specially crafted requests that consume excessive CPU, memory, or other finite resources without needing to authenticate or interact with users. The vulnerability stems from insufficient input validation or rate-limiting in the framework's request-handling pipeline.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Weaknesses (CWE)
CWE-400, CWE-770
Affected products
6 configuration(s)
Published / Modified
2026-06-09 / 2026-07-15

NVD description (verbatim)

Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.

21 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability involves uncontrolled resource consumption (CWE-400, CWE-770) in Microsoft's ASP.NET Core framework. The flaw allows an unauthenticated, network-based attacker to trigger resource exhaustion conditions that deny service to legitimate users. The attack vector is network-accessible; no authentication or user interaction is required. The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects high availability impact with low attack complexity, earning a score of 7.5 (HIGH severity). The vulnerability affects the confidentiality and integrity of the system, though the primary impact is availability.

Business impact

Denial-of-service attacks exploiting this vulnerability can cause application downtime, degraded user experience, and revenue loss for organizations relying on ASP.NET Core–based web services. Affected services may become unresponsive, triggering incident response costs, customer support burden, and potential reputational damage. Cloud-hosted applications may incur unexpected infrastructure costs as auto-scaling mechanisms react to resource exhaustion. Organizations with minimal redundancy or load-balancing will experience the most severe impact.

Affected systems

Microsoft ASP.NET Core and .NET Framework installations are directly affected. Visual Studio 2026 installations using ASP.NET Core tooling may also be impacted depending on local development configurations. The vulnerability can also manifest on systems running macOS, Linux (including Linux kernel environments), and Windows where ASP.NET Core applications are deployed. Any organization running ASP.NET Core web applications or services should assume exposure unless patched.

Exploitability

This vulnerability has a low barrier to exploitation. No authentication is required, attack complexity is low, and the vulnerability is remotely reachable over a network. However, the vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting active exploitation in the wild has not yet been documented at the time of publication. Organizations should not delay patching on the assumption that no public exploits exist, as proof-of-concept code can emerge rapidly once a vulnerability is disclosed.

Remediation

Apply security updates from Microsoft addressing ASP.NET Core resource-consumption flaws. Organizations should consult Microsoft's official security advisories and patch releases for the specific .NET version and ASP.NET Core version in use. Interim mitigations include deploying rate-limiting middleware, implementing request throttling at the load-balancer or reverse-proxy level, and isolating ASP.NET Core services behind web application firewalls (WAF) configured to detect and block anomalous request patterns. Monitoring for sudden CPU or memory spikes can help detect active exploitation attempts.

Patch guidance

Obtain patches directly from Microsoft's security updates portal and official .NET release notes. Verify patch applicability against your installed ASP.NET Core and .NET versions. Test patches in a staging environment that mirrors production workloads before broad deployment. For organizations running multiple ASP.NET Core applications, coordinate patching to minimize service interruption. Automated dependency scanning (via NuGet or similar package managers) can help identify and flag vulnerable framework versions in your codebase.

Detection guidance

Monitor ASP.NET Core application and system logs for repeated requests from single or distributed sources targeting the same endpoint or parameter. Look for unusual CPU or memory utilization spikes preceding application crashes or hangs. Implement alerting on request rates, payload sizes, and processing times. Web application firewalls should be tuned to detect and log patterns consistent with resource-exhaustion attacks, such as high-volume requests with minimal payload variance. Network-level detection should flag traffic anomalies from sources attempting to overwhelm ASP.NET Core endpoints.

Why prioritize this

This vulnerability warrants urgent patching due to its HIGH CVSS score (7.5), network accessibility, low attack complexity, and complete lack of authentication requirements. The impact is availability—a critical concern for any publicly facing or business-critical service. Although not yet in the KEV catalog, the simplicity of triggering resource exhaustion makes this an attractive target for opportunistic attackers. Organizations should prioritize patching ASP.NET Core systems before other non-critical updates.

Risk score, explained

The CVSS 3.1 score of 7.5 (HIGH) reflects the ease and speed with which an attacker can remotely deny service without authentication. The attack vector is network-based with low complexity (AC:L), meaning no special conditions or tools are needed. The impact to availability is high (A:H), making the service unavailable to legitimate users. Confidentiality and integrity are not compromised, limiting the score from reaching CRITICAL levels. However, the practical business impact—service downtime—justifies treating this as a high-priority issue.

Frequently asked questions

Could an attacker steal data or modify application logic using this vulnerability?

No. CVE-2026-45591 is strictly a denial-of-service flaw affecting availability. It does not enable data exfiltration, authentication bypass, or code injection. An attacker can crash or degrade an ASP.NET Core service but cannot read sensitive information or alter application behavior.

Does this vulnerability require the attacker to have an account or network access inside our organization?

No. The vulnerability is remotely exploitable over a network from an unauthenticated attacker without credentials or internal network access. Any ASP.NET Core service accessible from the internet is at risk.

What is the difference between this vulnerability being on the KEV catalog versus not being on it?

The KEV (Known Exploited Vulnerabilities) catalog tracks vulnerabilities with confirmed active exploitation by threat actors. CVE-2026-45591 is not currently on the KEV catalog, meaning there is no documented evidence of widespread exploitation at this time. However, this does not mean the vulnerability is less dangerous—it simply means defenders have a window of opportunity to patch before adversaries mature and weaponize proof-of-concept exploits.

If we run ASP.NET Core on Linux, are we still vulnerable?

Yes. ASP.NET Core is a cross-platform framework, and the vulnerability affects ASP.NET Core deployments regardless of the underlying operating system. Organizations running ASP.NET Core on Linux, macOS, Windows, or containerized environments must apply patches.

This analysis is based on vendor-supplied CVE data as of the publication and modification dates listed. Actual patch availability, version numbers, and detailed remediation steps must be verified against official Microsoft security advisories and release notes. Organizations should conduct their own risk assessment accounting for their specific ASP.NET Core versions, deployment architecture, and business criticality. This explainer does not constitute professional security advice; consult your internal security team or a qualified security vendor for deployment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-16. Analysis generated by SEC.co (claude-haiku-4-5).