CVE-2026-26171
Published: 14 April 2026
Summary
CVE-2026-26171 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Microsoft .Net. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 12.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
Uncontrolled resource consumption affects the .NET platform and is tracked as CVE-2026-26171. The flaw, assigned CWE-400 and CWE-611, permits remote attackers to trigger excessive resource use that leads to denial of service. It carries a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction.
An unauthenticated attacker with network access can send crafted input that exhausts resources on affected .NET systems, resulting in service disruption without any impact on confidentiality or integrity. The current and peak EPSS scores both stand at 0.0308, indicating no material increase in exploitation probability since disclosure.
Microsoft publishes guidance for the issue at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26171.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22404
Vulnerability details
Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Directly enables application-layer DoS via exploitation of uncontrolled resource consumption (CWE-400/611) in a network-reachable .NET component, matching T1499.004 Application or System Exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates network-based denial-of-service attacks by implementing protections against resource exhaustion like rate limiting and traffic filtering.
Protects system resources from unauthorized consumption by enforcing allocation limits tailored to prevent exhaustion in .NET processes.
Ensures timely remediation of the specific uncontrolled resource consumption flaw in .NET through identification, reporting, and patching.