Cyber Resilience

CVE-2026-32933

HighPublic PoCDDoS

Published: 20 March 2026

Published
20 March 2026
Modified
08 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0003 8.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32933 is a high-severity Uncontrolled Recursion (CWE-674) vulnerability in Luckypennysoftware Automapper. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 8.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32933 is a denial-of-service (DoS) vulnerability in AutoMapper, a convention-based object-object mapper library for .NET applications. Versions prior to 15.1.1 and 16.1.1 are affected due to recursive method calls used when mapping deeply nested object graphs, without a default maximum depth limit. This flaw, classified under CWE-674 (Uncontrolled Recursion), has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.

The vulnerability can be exploited by any unauthenticated attacker with network access to an application that processes untrusted input through AutoMapper's mapping functions. By supplying a specially crafted object graph with excessive nesting depth, the attacker triggers unbounded recursion, exhausting the thread's stack memory and causing a StackOverflowException that terminates the entire application process, resulting in a DoS condition.

Mitigation is available via updated versions 15.1.1 and 16.1.1 of AutoMapper, which address the issue by enforcing appropriate recursion limits. The AutoMapper security advisory (GHSA-rvv3-g6hj-g44x) and related GitHub releases detail the fix, including the patching commit (0afaf1e91648fca1a57512e94dd00a76ee016816). Security practitioners should upgrade affected applications promptly and review input validation for object mapping operations.

EU & UK References

Vulnerability details

AutoMapper is a convention-based object-object mapper in .NET. Versions prior to 15.1.1 and 16.1.1 are vulnerable to a Denial of Service (DoS) attack. When mapping deeply nested object graphs, the library uses recursive method calls without enforcing a default maximum…

more

depth limit. This allows an attacker to provide a specially crafted object graph that exhausts the thread's stack memory, triggering a `StackOverflowException` and causing the entire application process to terminate. Versions 15.1.1 and 16.1.1 fix the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables remote exploitation of a .NET application via untrusted input to AutoMapper, triggering uncontrolled recursion (CWE-674) that crashes the process with StackOverflowException, directly matching Endpoint Denial of Service via Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-34211Shared CWE-674
CVE-2026-39376Shared CWE-674
CVE-2026-32141Shared CWE-674
CVE-2026-44289Shared CWE-674
CVE-2026-32944Shared CWE-674
CVE-2025-70957Shared CWE-674
CVE-2024-8176Shared CWE-674
CVE-2026-33498Shared CWE-674
CVE-2026-42039Shared CWE-674
CVE-2026-6479Shared CWE-674

Affected Assets

luckypennysoftware
automapper
≤ 15.1.1 · 16.0.0 — 16.1.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring timely patching of AutoMapper to versions 15.1.1 or 16.1.1 that enforce recursion depth limits, preventing stack overflow DoS.

prevent

Protects system resources, including thread stack memory, from denial-of-service attacks caused by unbounded recursion in deeply nested object graphs.

prevent

Validates and sanitizes untrusted inputs before AutoMapper processing to block or limit deeply nested object graphs that trigger uncontrolled recursion.

References