CVE-2026-33116
Published: 14 April 2026
Summary
CVE-2026-33116 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft .Net Framework. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 7.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-33116 is an infinite loop vulnerability, also described under CWE-835, CWE-400, and CWE-20, that affects .NET, .NET Framework, and Visual Studio. The flaw permits an attacker to trigger a loop with an unreachable exit condition, resulting in a denial-of-service condition. It carries a CVSS 3.1 base score of 7.5 reflecting network attack vector, low complexity, and no required privileges or user interaction, with high impact on availability and no impact on confidentiality or integrity.
An unauthenticated remote attacker can exploit the issue over a network to cause the affected .NET components or Visual Studio instances to become unresponsive, thereby denying service to legitimate users or processes. The attack requires no authentication or user interaction and can be launched solely by sending crafted network traffic that induces the unreachable loop.
Microsoft publishes mitigation guidance and patch information for this vulnerability through its Security Response Center at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33116. The current EPSS score of 0.0801 with a recorded peak of 0.0918 indicates modest and stable exploitation interest since disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-22635
Vulnerability details
Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated network exploitation of the infinite loop (via input validation flaw) directly enables denial-of-service against affected .NET services, mapping to T1190 for public-facing applications and T1499.004 for application/system exploitation causing crash or unresponsiveness.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation through application of Microsoft patches directly eliminates the infinite loop vulnerability in .NET, .NET Framework, and Visual Studio.
Denial-of-service protection mechanisms such as rate limiting and traffic filtering prevent remote attackers from triggering the resource-consuming infinite loop over the network.
Information input validation checks network inputs for validity, mitigating exploitation of the improper input handling that leads to the unreachable exit condition.