Cyber Posture

CVE-2026-26130

High

Published: 10 March 2026

Published
10 March 2026
Modified
02 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0348 87.7th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26130 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Microsoft Asp.Net Core. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 12.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match
prevent

SC-5 directly implements denial-of-service protections such as throttling and rate limiting to prevent unauthorized network attackers from causing resource exhaustion as exploited in this CVE.

SC-6 Resource Availability good match
prevent

SC-6 enforces limits on resource allocation to processes or users, directly addressing the unbounded resource allocation without limits or throttling in ASP.NET Core.

SI-2 Flaw Remediation good match
prevent

SI-2 ensures timely remediation of identified flaws like this CVE through patching, as guided by Microsoft's update, preventing exploitation of the resource allocation vulnerability.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

CVE describes a remotely exploitable resource exhaustion flaw (CWE-770) in ASP.NET Core that enables network-based denial of service; directly maps to exploitation of public-facing apps (T1190) and application/system exploitation for endpoint DoS (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.

Deeper analysisAI

CVE-2026-26130 is a vulnerability in ASP.NET Core that involves allocation of resources without limits or throttling, enabling an unauthorized attacker to deny service over a network. Classified under CWE-770, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and was published on 2026-03-10T18:18:42.223.

The vulnerability can be exploited by any unauthorized remote attacker with network access, requiring low complexity and no privileges or user interaction. Successful exploitation triggers excessive resource consumption, resulting in high-impact denial of service that disrupts availability without affecting confidentiality or integrity.

Microsoft provides guidance on mitigation through its Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130.

Details

CWE(s)
CWE-770

Affected Products

microsoft
asp.net core
8.0.0 — 8.0.25 · 9.0.0 — 9.0.14 · 10.0.0 — 10.0.4

CVEs Like This One

CVE-2026-40372Same product: Microsoft Asp.Net Core
CVE-2025-55315Same product: Microsoft Asp.Net Core
CVE-2025-21277Same vendor: Microsoft
CVE-2026-26154Same vendor: Microsoft
CVE-2026-25667Same vendor: Microsoft
CVE-2026-20856Same vendor: Microsoft
CVE-2025-21385Same vendor: Microsoft
CVE-2026-23957Shared CWE-770
CVE-2026-27932Shared CWE-770
CVE-2025-24043Same vendor: Microsoft

References