{"uuid": "d0ba6592-131e-40d9-b83a-942de007e73a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-32175", "type": "seen", "source": "https://gist.github.com/alon710/261ffaf79cb2412380434d62f37902b8", "content": "# CVE-2026-32175: CVE-2026-32175: Absolute Path Traversal and Arbitrary File Write in .NET Core Archive Extraction\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-05-12\n> **Full Report:** https://cvereports.com/reports/CVE-2026-32175\n\n## Summary\nCVE-2026-32175 is a high-severity tampering vulnerability affecting .NET Core versions 8.0, 9.0, and 10.0 on Windows platforms. The vulnerability stems from an Absolute Path Traversal (CWE-36) flaw in the extraction mechanisms handling NuGet packages and application bundles. An unauthenticated remote attacker can exploit this weakness by providing a specially crafted archive file. The extraction logic fails to sanitize archive entry names containing absolute paths, leading to arbitrary file writes on the host system. Successful exploitation allows the attacker to compromise application integrity by overwriting critical system files or planting malicious executables.\n\n## TL;DR\nA path traversal vulnerability in .NET Core's archive extraction logic allows unauthenticated attackers to write arbitrary files to the filesystem by crafting malicious NuGet packages or application bundles.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-36\n- **Attack Vector**: Network\n- **CVSS Score**: 7.5 (High)\n- **Impact**: High Integrity (Arbitrary File Write)\n- **Exploit Status**: Proof of Concept\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- Windows x86\n- Windows x64\n- Windows ARM\n- Windows ARM64\n- CI/CD Environments executing vulnerable .NET SDKs\n- **.NET 10.0**: 10.0.0 to 10.0.7 (Fixed in: `10.0.8`)\n- **.NET 9.0**: 9.0.0 to 9.0.15 (Fixed in: `9.0.16`)\n- **.NET 8.0**: 8.0.0 to 8.0.26 (Fixed in: `8.0.27`)\n- **Visual Studio 2026 (v18.5)**: < 18.5.3 (Fixed in: `18.5.3`)\n- **Visual Studio 2022 (v17.14)**: < 17.14.31 (Fixed in: `17.14.31`)\n\n## Mitigation\n\n- Update .NET SDK and Runtimes to the latest available servicing releases.\n- Update all instances of Visual Studio to integrate the patched SDK versions.\n- Implement strict package source mapping to restrict dependency resolution to trusted registries.\n- Recompile and redeploy all existing self-contained applications built with affected .NET versions.\n\n**Remediation Steps:**\n1. Identify all systems running .NET 8.0, 9.0, or 10.0 using inventory management tools.\n2. Execute `dotnet --info` on hosts to determine the current active runtime versions.\n3. Deploy .NET versions 10.0.8, 9.0.16, or 8.0.27 to the affected systems.\n4. Trigger rebuild pipelines for self-contained applications ensuring the CI/CD runners possess the updated SDK.\n5. Validate the patch deployment by re-running the version verification commands.\n\n## References\n\n- [Microsoft Security Response Center Advisory](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32175)\n- [.NET GitHub Announcements](https://github.com/dotnet/announcements/issues/396)\n- [GitHub Security Advisory (GHSA)](https://github.com/dotnet/runtime/security/advisories/GHSA-rg75-q538-x34v)\n- [OSV Entry for GHSA-rg75-q538-x34v](https://osv.dev/vulnerability/GHSA-rg75-q538-x34v)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-32175) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-20T11:20:50.000000Z"}