Security Update for Microsoft .NET Core (July 2026)

high Nessus Plugin ID 326863

Synopsis

The Microsoft .NET Core installations on the remote host are affected by multiple vulnerabilities.

Description

The Microsoft .NET Core installations on the remote host are missing a security update. It is, therefore, affected by multiple vulnerabilities as referenced in the vendor advisory.

- Allocation of resources without limits or throttling in .NET allows an unauthorized attacker to deny service over a network. (CVE-2026-47302, CVE-2026-50525, CVE-2026-50651)

- Improper verification of cryptographic signature in .NET allows an unauthorized attacker to bypass a security feature over a network. (CVE-2026-47304)

- Improper validation of specified type of input in .NET Framework allows an unauthorized attacker to deny service over a network. (CVE-2026-50524)

- Improper link resolution before file access ('link following') in .NET allows an authorized attacker to perform tampering locally. (CVE-2026-50526)

- Stack-based buffer overflow in .NET Framework allows an unauthorized attacker to deny service over a network. (CVE-2026-50527)

- Incorrect authorization in .NET allows an unauthorized attacker to bypass a security feature over a network. (CVE-2026-50528)

- Protection mechanism failure in .NET Framework allows an unauthorized attacker to execute code locally.
(CVE-2026-50646)

- Allocation of resources without limits or throttling in .NET Framework allows an unauthorized attacker to deny service over a network. (CVE-2026-50648)

- Deserialization of untrusted data in .NET allows an unauthorized attacker to execute code locally.
(CVE-2026-50649)

- Improper control of generation of code ('code injection') in .NET Framework allows an unauthorized attacker to elevate privileges locally. (CVE-2026-50650)

- Improper encoding or escaping of output in .NET allows an authorized attacker to perform spoofing over a network. (CVE-2026-50659)

- Access of resource using incompatible type ('type confusion') in .NET Core allows an unauthorized attacker to deny service over a network. (CVE-2026-57108)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update .NET Core, remove vulnerable packages and refer to vendor advisory.

See Also

https://dotnet.microsoft.com/en-us/download/dotnet/10.0

https://dotnet.microsoft.com/en-us/download/dotnet/8.0

https://dotnet.microsoft.com/en-us/download/dotnet/9.0

https://github.com/dotnet/announcements/issues/408

https://github.com/dotnet/announcements/issues/410

https://github.com/dotnet/announcements/issues/412

https://github.com/dotnet/announcements/issues/413

https://github.com/dotnet/announcements/issues/414

https://github.com/dotnet/announcements/issues/415

https://github.com/dotnet/announcements/issues/416

https://github.com/dotnet/announcements/issues/417

https://github.com/dotnet/announcements/issues/418

https://github.com/dotnet/announcements/issues/419

https://github.com/dotnet/announcements/issues/420

https://github.com/dotnet/announcements/issues/421

https://github.com/dotnet/announcements/issues/422

https://github.com/dotnet/announcements/issues/423

https://support.microsoft.com/kb/5104032

https://support.microsoft.com/kb/5104033

https://support.microsoft.com/kb/5104034

http://www.nessus.org/u?666098d4

http://www.nessus.org/u?d1fdace6

http://www.nessus.org/u?f2dfe152

Plugin Details

Severity: High

ID: 326863

File Name: smb_nt_ms26_jul_dotnet_core.nasl

Version: 1.1

Type: Local

Agent: windows

Family: Windows

Published: 7/14/2026

Updated: 7/14/2026

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 58.11

CVSS v3

Risk Factor: High

Base Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Vulnerability Information

CPE: cpe:/a:microsoft:.net_core

Required KB Items: installed_sw/.NET Core Windows

Patch Publication Date: 7/14/2026

Vulnerability Publication Date: 7/14/2026

Reference Information

CVE: CVE-2026-47302, CVE-2026-47304, CVE-2026-50524, CVE-2026-50525, CVE-2026-50527, CVE-2026-50528, CVE-2026-50646, CVE-2026-50648, CVE-2026-50649, CVE-2026-50650, CVE-2026-50651, CVE-2026-50659, CVE-2026-57108