{"uuid": "ceec749b-fe82-4723-a621-ad3eca67bda1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42899", "type": "seen", "source": "https://gist.github.com/alon710/858f4c780c5ed9bd0f94d013b01935b8", "content": "# CVE-2026-42899: CVE-2026-42899: Denial of Service via Infinite Loops in ASP.NET Core Subsystems\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-05-18\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42899\n\n## Summary\nCVE-2026-42899 is a high-severity Denial of Service (DoS) vulnerability in the Microsoft ASP.NET Core framework, characterized by multiple instances of a 'Loop with Unreachable Exit Condition' (CWE-835). An unauthenticated remote attacker can trigger 100% CPU utilization by supplying specially crafted requests that exploit logic errors in request parsing, data protection, minimal APIs, and caching subsystems.\n\n## TL;DR\nUnauthenticated remote Denial of Service in ASP.NET Core due to infinite loops in core subsystems, remediated in .NET 8.0.27, 9.0.16, and 10.0.8.\n\n## Technical Details\n\n- **CWE ID**: CWE-835\n- **Attack Vector**: Network\n- **CVSS v3.1**: 7.5 (High)\n- **EPSS**: 0.00047 (0.05%)\n- **Impact**: High Availability (Denial of Service)\n- **Exploit Status**: None Public\n- **CISA KEV**: Not Listed\n\n## Affected Systems\n\n- ASP.NET Core on .NET 8.0\n- ASP.NET Core on .NET 9.0\n- ASP.NET Core on .NET 10.0\n- **.NET 8.0**: 8.0.0 <= version < 8.0.27 (Fixed in: `8.0.27`)\n- **.NET 9.0**: 9.0.0 <= version < 9.0.16 (Fixed in: `9.0.16`)\n- **.NET 10.0**: 10.0.0 <= version < 10.0.8 (Fixed in: `10.0.8`)\n\n## Mitigation\n\n- Update .NET runtime and SDK to patched versions\n- Update JavaScript dependencies (lodash, serialize-javascript) for Blazor/SPA applications\n- Implement WAF rules to pre-validate and drop malformed API parameters\n- Enforce connection rate limits and strict request timeouts\n\n**Remediation Steps:**\n1. Identify all systems running .NET 8.0, 9.0, or 10.0\n2. Download and install .NET updates 8.0.27, 9.0.16, or 10.0.8\n3. Rebuild self-contained applications with the updated .NET SDK\n4. Update package.json dependencies to lodash >=4.18.0 and serialize-javascript >=7.0.5\n5. Deploy updated application artifacts to production environments\n6. Monitor application worker process CPU utilization to verify vulnerability resolution\n\n## References\n\n- [Microsoft Security Response Center (MSRC) Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42899)\n- [CVE Org Record for CVE-2026-42899](https://www.cve.org/CVERecord?id=CVE-2026-42899)\n- [GitHub Patch (DataProtection)](https://github.com/dotnet/aspnetcore/commit/c5fa707d1dd8a67dc1392fa9c3561d8d353577e3)\n- [GitHub Patch (RequestDelegateFactory)](https://github.com/dotnet/aspnetcore/commit/31515a42d423dcfe2c646801f8b4a35350705c25)\n- [GitHub Patch (HybridCache)](https://github.com/dotnet/aspnetcore/commit/3ec3980cc353d6b9fff9fb6fef1f655f8d9f2158)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42899) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-18T20:40:49.000000Z"}