Cyber Posture

CVE-2026-23666

High

Published: 14 April 2026

Published
14 April 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0012 30.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23666 is a high-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Microsoft .Net Framework. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of information inputs to prevent malformed inputs from triggering resource exhaustion or crashes in .NET Framework.

SC-5 Denial-of-service Protection good match
prevent

Provides denial-of-service protection specifically against network-based resource exhaustion attacks like those enabled by this improper input validation flaw.

SI-2 Flaw Remediation good match
prevent

Ensures timely flaw remediation through patching of the .NET Framework vulnerability as recommended by MSRC to eliminate the improper input validation issue.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Direct match to application exploitation causing DoS via malformed network inputs to .NET Framework services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper input validation in .NET Framework allows an unauthorized attacker to deny service over a network.

Deeper analysisAI

CVE-2026-23666 is an improper input validation vulnerability in the .NET Framework that enables a denial-of-service condition. Published on 2026-04-14, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-755 (Improper Handling of Exceptional Conditions). The flaw affects the .NET Framework component, allowing malformed inputs to trigger resource exhaustion or crashes.

An unauthorized attacker can exploit this vulnerability remotely over a network with low complexity and no user interaction required. By sending specially crafted inputs to a vulnerable .NET Framework application or service exposed to the network, the attacker can cause high-impact availability disruption, such as service crashes or excessive resource consumption, without affecting confidentiality or integrity.

The Microsoft Security Response Center (MSRC) provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23666, which details the vulnerability, affected versions, and recommended patches or mitigations for remediation.

Details

CWE(s)
CWE-755

Affected Products

microsoft
.net framework
3.5, 4.6.2, 4.7, 4.7.1, 4.7.2

CVEs Like This One

CVE-2026-20846Same product: Microsoft Windows 10 1607
CVE-2026-32071Same product: Microsoft Windows 10 1607
CVE-2026-21525Same product: Microsoft Windows 10 1607
CVE-2026-20875Same product: Microsoft Windows 10 1607
CVE-2025-21351Same product: Microsoft Windows 10 1607
CVE-2025-21276Same product: Microsoft Windows 10 1607
CVE-2025-21270Same product: Microsoft Windows 10 1607
CVE-2025-21230Same product: Microsoft Windows 10 1607
CVE-2025-21290Same product: Microsoft Windows 10 1607
CVE-2025-21300Same product: Microsoft Windows 10 1607

References