Cyber Resilience

CVE-2026-23666

High

Published: 14 April 2026

Published
14 April 2026
Modified
07 May 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0013 32.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-23666 is a high-severity Improper Handling of Exceptional Conditions (CWE-755) vulnerability in Microsoft .Net Framework. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 32.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-23666 is an improper input validation vulnerability in the .NET Framework that enables a denial-of-service condition. Published on 2026-04-14, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-755 (Improper Handling of Exceptional Conditions). The flaw affects the .NET Framework component, allowing malformed inputs to trigger resource exhaustion or crashes.

An unauthorized attacker can exploit this vulnerability remotely over a network with low complexity and no user interaction required. By sending specially crafted inputs to a vulnerable .NET Framework application or service exposed to the network, the attacker can cause high-impact availability disruption, such as service crashes or excessive resource consumption, without affecting confidentiality or integrity.

The Microsoft Security Response Center (MSRC) provides an update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23666, which details the vulnerability, affected versions, and recommended patches or mitigations for remediation.

EU & UK References

Vulnerability details

Improper input validation in .NET Framework allows an unauthorized attacker to deny service over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Direct match to application exploitation causing DoS via malformed network inputs to .NET Framework services.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-40401Same product: Microsoft Windows 10 1607
CVE-2026-40413Same product: Microsoft Windows 10 1607
CVE-2026-40414Same product: Microsoft Windows 10 1607
CVE-2026-35424Same product: Microsoft Windows 10 1607
CVE-2026-32071Same product: Microsoft Windows 10 1607
CVE-2026-20846Same product: Microsoft Windows 10 1607
CVE-2026-21525Same product: Microsoft Windows 10 1607
CVE-2026-20875Same product: Microsoft Windows 10 1607
CVE-2025-21351Same product: Microsoft Windows 10 1607
CVE-2025-21389Same product: Microsoft Windows 10 1607

Affected Assets

microsoft
.net framework
3.5, 4.6.2, 4.7, 4.7.1, 4.7.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of information inputs to prevent malformed inputs from triggering resource exhaustion or crashes in .NET Framework.

prevent

Provides denial-of-service protection specifically against network-based resource exhaustion attacks like those enabled by this improper input validation flaw.

prevent

Ensures timely flaw remediation through patching of the .NET Framework vulnerability as recommended by MSRC to eliminate the improper input validation issue.

References