CVE-2026-33116

High

Published: 14 April 2026

Published

14 April 2026

Modified

06 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0126 79.6th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33116 is a high-severity Improper Input Validation (CWE-20) vulnerability in Microsoft .Net Framework. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Timely flaw remediation through application of Microsoft patches directly eliminates the infinite loop vulnerability in .NET, .NET Framework, and Visual Studio.

SC-5 Denial-of-service Protection good match

prevent

Denial-of-service protection mechanisms such as rate limiting and traffic filtering prevent remote attackers from triggering the resource-consuming infinite loop over the network.

SI-10 Information Input Validation partial match

prevent

Information input validation checks network inputs for validity, mitigating exploitation of the improper input handling that leads to the unreachable exit condition.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote unauthenticated network exploitation of the infinite loop (via input validation flaw) directly enables denial-of-service against affected .NET services, mapping to T1190 for public-facing applications and T1499.004 for application/system exploitation causing crash or unresponsiveness.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.

Deeper analysisAI

CVE-2026-33116 is a vulnerability classified as a loop with an unreachable exit condition, resulting in an infinite loop, affecting .NET, .NET Framework, and Visual Studio. Published on 2026-04-14, it is associated with CWEs CWE-20 (Improper Input Validation), CWE-400 (Uncontrolled Resource Consumption), and CWE-835 (Loop with Unreachable Exit Condition). The issue enables an unauthorized attacker to deny service over a network, with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity due to its impact on availability.

An unauthorized attacker can exploit this vulnerability remotely over the network with low complexity, requiring no privileges, authentication, or user interaction. Exploitation triggers the infinite loop, leading to denial of service by consuming resources and potentially causing affected components to hang or crash, without impacting confidentiality or integrity.

Microsoft's Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33116 provides details on patches and mitigation steps for this vulnerability.

Details

CWE(s): CWE-20 CWE-400 CWE-835

Affected Products

microsoft

.net

10.0.0 — 10.0.6 · 8.0.0 — 8.0.26 · 9.0.0 — 9.0.15

microsoft

.net framework

3.5, 4.6.2, 4.7, 4.7.1, 4.7.2

CVEs Like This One

CVE-2025-21176Same product: Apple Macos

CVE-2026-26171Same product: Apple Macos

CVE-2025-21230Same product: Microsoft Windows 10 1607

CVE-2026-32203Same product: Apple Macos

CVE-2026-23666Same product: Microsoft .Net Framework

CVE-2025-21277Same product: Microsoft Windows 10 1607

CVE-2026-20856Same product: Microsoft Windows 10 1607

CVE-2026-26127Same product: Apple Macos

CVE-2025-21290Same product: Microsoft Windows 10 1607

CVE-2025-21289Same product: Microsoft Windows 10 1607

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33116
Vendor Advisory · secure@microsoft.com