Detections
Analytics
Security Update for Microsoft .NET Core (March 2026)
high Nessus Plugin ID 302122
Synopsis
The remote Windows host is affected by multiple vulnerabilities.Description
The version of tested product installed on the remote host is 8.x prior to 8.0.25, 9.x prior to 9.0.14, or 10.x prior to 10.0.4. It is, therefore, affected by multiple vulnerabilities as referenced in the vendor advisory:- Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network. (CVE-2026-26127)
- Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network. (CVE-2026-26130)
- Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally.
(CVE-2026-26131)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update .NET Core, remove vulnerable packages and refer to vendor advisory.See Also
https://github.com/dotnet/announcements/issues/387
http://www.nessus.org/u?6e7ec7fb
https://dotnet.microsoft.com/en-us/download/dotnet/8.0
https://support.microsoft.com/help/5081277
http://www.nessus.org/u?4c9d9431
https://dotnet.microsoft.com/download/dotnet/9.0
https://support.microsoft.com/help/5081278
http://www.nessus.org/u?3f009cbb
Plugin Details
Severity: High
ID: 302122
File Name: smb_nt_ms26_mar_dotnet_core.nasl
Version: 1.2
Type: local
Agent: windows
Family: Windows
Published: 3/13/2026
Updated: 3/13/2026
Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 6.7
CVSS v2
Risk Factor: High
Base Score: 7.2
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2026-26131
CVSS v3
Risk Factor: High
Base Score: 7.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Vulnerability Information
CPE: cpe:/a:microsoft:.net_core
Required KB Items: installed_sw/.NET Core Windows
Patch Publication Date: 3/10/2026
Vulnerability Publication Date: 3/10/2026