ThreatLevelBeta
Planned Fix

CVE-2026-23666

Microsoft .NET Framework Pre-Auth DoS
Loading...

Summary

A race condition in Microsoft .NET Framework lets an unauthenticated remote attacker trigger a denial of service in affected applications. By sending crafted network traffic that hits the vulnerable concurrent-execution code path, the attacker can crash or hang the service. The result is service unavailability rather than code execution or data theft.

Why Planned Fix?

3/6
No authentication required
Mixed internet / internal deployment
No user interaction needed
Not exploitable in default configuration
No active exploitation or PoC
Not a high impact vulnerability

Exploitation Details

Type
DoS (Denial of Service)
Is exploitable with default configuration?
No
Is authentication needed?
No
PoC / Exploit
No
Impact

Crash or hang the affected application or service, making it unavailable.

Denial of Service
Exploitation Requirements
  • Affected .NET Framework code path used by the application
Exploitation Process

An attacker sends crafted network requests to a .NET Framework application or service that reaches the vulnerable concurrent-execution path. The malformed timing or request pattern triggers improper synchronization around a shared resource, causing the application to fail. Success is seen as the service becoming unresponsive, crashing, or otherwise unavailable.

Detection Resources
Manual Detection
0
Script Detection
0
Scanner Detection
Tenable Nessus
1

Affected Software

Vendor:Microsoft
ProductAffected Versions
Microsoft .NET Framework3.0, 4.6.2, 4.7, 4.7.1, 4.7.2, 4.8, 4.8.1
Description

Microsoft .NET Framework is a Windows application runtime and class library platform used to build and run managed desktop, server, and web applications.

Deployment:Mixed (internet/internal)
|
Protocol:HTTP
|
Ports:80, 443
Affected ComponentCore runtime concurrency and exception-handling logic used by .NET Framework applications.

Core runtime concurrency and exception-handling logic used by .NET Framework applications.

Enterprise UsageEstimated likelihood that this vendor/product is deployed in enterprise environments. AI-generated estimation based on market presence, product type and adoption signals — not exact data.
Very Low
Low
Medium
High
Very High
Vendor Size:Big
Remediation
Workaround

Not available

Patch

Not available

Update
Apply the April 14, 2026 .NET Framework cumulative update for your Windows release; Microsoft shipped the fix through the monthly servicing updates for supported .NET Framework versions.

Apply the April 14, 2026 .NET Framework cumulative update for your Windows release; Microsoft shipped the fix through the monthly servicing updates for supported .NET Framework versions.

learn.microsoft.com
Threat Intelligence
EPSS Score0.1%

Probability of exploitation in the next 30 days

EPSS Percentile25%

Worse than 25% of all CVEs

Last updated: Loading...
CISAKEV
CISA KEV
Not Listed
Active Exploitation
No Evidence
Threat Actors

No known threat actors

Detection Rules

No detection rules available

NVD Data

Published: Loading...Modified: Loading...

Description Summary

Concurrent execution using shared resource with improper synchronization ('race condition') in .NET Framework allows an unauthorized attacker to deny service over a network.

CVSS Base Score

7.5
High

CVSS Vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Attack Vector (AV)
Physical
Local
Adjacent
Network
Attack Complexity (AC)
High
Low
Privileges Required (PR)
High
Low
None
User Interaction (UI)
Required
None
Scope (S)
Unchanged
Changed
Confidentiality (C)
None
Low
High
Integrity (I)
None
Low
High
Availability (A)
None
Low
High
CWE:CWE-755 Improper Handling of Exceptional Conditions
|
NVD:CVE-2026-23666
|
Version From:
|
Version Upto:

Sources

6
SourceArticle
learn.microsoft.comApril 2026 cumulative update - .NET Framework
devblogs.microsoft.com.NET and .NET Framework April 2026 servicing releases updates
msrc.microsoft.comCVE-2026-23666 update guide
tenable.comCVE-2026-23666
blog.qualys.comMicrosoft and Adobe Patch Tuesday, April 2026 Security Update Review
crowdstrike.comApril 2026 Patch Tuesday: Updates and Analysis

Priority History

Planned FixLoading...

Initial analysis