Detections
Analytics

Microsoft ASP.NET Core DoS (March 2026)

high Nessus Plugin ID 301994

Synopsis

The remote Windows host is affected by a denial of service vulnerability.

Description

The version of ASP.NET Core installed on the remote Windows host is 8.0.x prior to 8.0.25, 9.0.x prior to 9.0.14, or 10.0.x prior to 10.0.4. It is, therefore, affected by a denial of service vulnerability. A specially crafted message to a SignalR server can cause uncontrolled resource consumption, exhausting an internal buffer and leading to denial of service.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update ASP.NET Core to version 8.0.25, 9.0.14, 10.0.4 or later.

See Also

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130

https://github.com/dotnet/aspnetcore/issues/65727

http://www.nessus.org/u?5492958f

http://www.nessus.org/u?83dd3f59

http://www.nessus.org/u?2e94e4fc

https://support.microsoft.com/en-us/help/5081278

https://support.microsoft.com/en-us/help/5081277

https://support.microsoft.com/en-us/help/5081276

Plugin Details

Severity: High

ID: 301994

File Name: smb_nt_ms26_mar_aspdotnet_core.nasl

Version: 1.1

Type: local

Agent: windows

Published: 3/12/2026

Updated: 3/12/2026

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-26130

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: cpe:/a:microsoft:asp.net_core

Required KB Items: SMB/Registry/Enumerated, installed_sw/ASP .NET Core Windows

Patch Publication Date: 3/10/2026

Vulnerability Publication Date: 3/10/2026

Reference Information

CVE: CVE-2026-26130

IAVA: 2026-A-0225

MSFT: MS26-5081276, MS26-5081277, MS26-5081278

MSKB: 5081276, 5081277, 5081278