Detections
Analytics

Microsoft Visual Studio Products (April 2026)

high Nessus Plugin ID 307350

Synopsis

The Microsoft Visual Studio Products are affected by a denial of service vulnerability.

Description

The Microsoft Visual Studio Products are missing a security update.
It is, therefore, affected by a denial of service vulnerability:

 - In Node.js TLS error handling allows remote attackers to crash or exhaust resources of a TLS server when pskCallback or ALPNCallback are in use.
 Synchronous exceptions thrown during these callbacks bypass standard TLS error handling paths (tlsClientError and error), causing either immediate process termination or silent file descriptor leaks that eventually lead to denial of service.
 Because these callbacks process attacker-controlled input during the TLS handshake, a remote client can repeatedly trigger the issue. The documented Visual Studio updates incorporate updates in Node.js which address this vulnerability.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Microsoft has released the following security updates to address this issue:
 - Update to 16.11.55 for Visual Studio 2019 16.11
 - Update to 17.12.19 for Visual Studio 2022 17.12
 - Update to 17.14.30 for Visual Studio 2022 17.14

See Also

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21637

https://learn.microsoft.com/en-us/visualstudio/releases/2019/history

http://www.nessus.org/u?f0f0c75d

Plugin Details

Severity: High

ID: 307350

File Name: smb_nt_ms26_apr_visual_studio_1.nasl

Version: 1.1

Type: Local

Agent: windows

Published: 4/17/2026

Updated: 4/17/2026

Supported Sensors: Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-21637

CVSS v3

Risk Factor: High

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Vulnerability Information

CPE: cpe:/a:microsoft:visual_studio

Required KB Items: SMB/MS_Bulletin_Checks/Possible, SMB/Registry/Enumerated, installed_sw/Microsoft Visual Studio

Patch Publication Date: 4/1/2026

Vulnerability Publication Date: 4/1/2026

Reference Information

CVE: CVE-2026-21637

IAVA: 2026-A-0347