CVE-2026-26127
Published: 10 March 2026
Summary
CVE-2026-26127 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Microsoft .Net. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-26127 is an out-of-bounds read vulnerability (CWE-125) affecting the .NET framework. Published on March 10, 2026, it enables an unauthorized attacker to cause a denial of service over a network. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to its impact on availability.
An unauthenticated attacker can exploit this flaw remotely with low complexity and no user interaction required. By triggering the out-of-bounds read, the attacker can crash .NET processes, leading to denial of service on affected systems hosting .NET applications.
Microsoft's Security Response Center provides mitigation guidance in its update advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127, recommending the application of available patches to .NET installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-10691
Vulnerability details
Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Out-of-bounds read in .NET enables remote unauthenticated crash of processes (C:N/I:N/A:H), directly matching application/system exploitation for endpoint DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 mandates timely identification, reporting, and correction of flaws like this .NET out-of-bounds read vulnerability through patching as recommended by Microsoft.
SC-5 directly protects against or limits the effects of network-based denial-of-service attacks that crash .NET processes via out-of-bounds reads.
SI-16 implements memory protections such as DEP and sandboxing that can mitigate exploitation of out-of-bounds read vulnerabilities in .NET.