Cyber Resilience

CVE-2026-26127

High

Published: 10 March 2026

Published
10 March 2026
Modified
01 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0010 27.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26127 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft .Net. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-26127 is an out-of-bounds read vulnerability (CWE-125) affecting the .NET framework. Published on March 10, 2026, it enables an unauthorized attacker to cause a denial of service over a network. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.

An unauthenticated attacker can exploit this flaw remotely with low complexity and no user interaction required. By triggering the out-of-bounds read, the attacker can crash .NET processes, leading to denial of service on affected systems hosting .NET applications.

Microsoft's Security Response Center provides mitigation guidance in its update advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127, recommending the application of available patches to .NET installations.

EU & UK References

Vulnerability details

Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Out-of-bounds read in .NET enables remote unauthenticated crash of processes (C:N/I:N/A:H), directly matching application/system exploitation for endpoint DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-42899Same product: Apple Macos
CVE-2026-26171Same product: Apple Macos
CVE-2026-32203Same product: Apple Macos
CVE-2026-4462Same product: Apple Macos
CVE-2026-4460Same product: Apple Macos
CVE-2026-3916Same product: Apple Macos
CVE-2026-6308Same product: Apple Macos
CVE-2026-9953Same product: Apple Macos
CVE-2026-4674Same product: Apple Macos
CVE-2026-3926Same product: Apple Macos

Affected Assets

microsoft
.net
10.0.0 — 10.0.4 · 9.0.0 — 9.0.14
microsoft
bcl.memory
9.0.0 — 9.0.14 · 10.0.0 — 10.0.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 mandates timely identification, reporting, and correction of flaws like this .NET out-of-bounds read vulnerability through patching as recommended by Microsoft.

prevent

SC-5 directly protects against or limits the effects of network-based denial-of-service attacks that crash .NET processes via out-of-bounds reads.

prevent

SI-16 implements memory protections such as DEP and sandboxing that can mitigate exploitation of out-of-bounds read vulnerabilities in .NET.

References