PatchSiren cyber security CVE debrief
CVE-2026-45591 Microsoft CVE debrief
CVE-2026-45591 is a high-severity vulnerability in ASP.NET Core that allows an unauthorized attacker to deny service over a network. The vulnerability is caused by uncontrolled resource consumption and has a CVSS score of 7.5. Affected products include ASP.NET Core 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, as well as .NET 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, and Visual Studio 2026 18.6.0 to 18.6.3. The vulnerability's operational impact could be significant, and defenders should review and apply patches or mitigations. Limited source information is available, and additional verification tasks are recommended.
- Vendor
- Microsoft
- Product
- .NET 10.0
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-30
Who should care
Users of ASP.NET Core 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, as well as .NET 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, and Visual Studio 2026 18.6.0 to 18.6.3 should review and apply patches or mitigations. Operators, platform administrators, vulnerability management teams, and security teams should be aware of the potential impact and take necessary actions.
Technical summary
CVE-2026-45591 is a high-severity vulnerability in ASP.NET Core that allows an unauthorized attacker to deny service over a network. The vulnerability is caused by uncontrolled resource consumption and has a CVSS score of 7.5. Affected products include ASP.NET Core 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, as well as .NET 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, and Visual Studio 2026 18.6.0 to 18.6.3. The vulnerability's technical framing is related to resource consumption, and defenders should focus on patching or mitigating this vulnerability.
Defensive priority
High priority should be given to patching or mitigating this vulnerability, as it allows for denial of service attacks.
Recommended defensive actions
- Apply patches or updates for ASP.NET Core 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, as well as .NET 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, and Visual Studio 2026 18.6.0 to 18.6.3.
- Review and implement mitigations, such as limiting network access to affected systems.
- Monitor system resources and network traffic for signs of potential attacks.
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
- Check relevant monitoring, detection, and logs for exposed assets that need extra review.
Evidence notes
The CVE record and NVD entry provide details on the vulnerability, including its CVSS score and affected products. Vendor advisories and errata from Red Hat are also available. Evidence is limited, and defenders should verify affected product deployments and review official advisories for validation. The vulnerability allows for denial of service attacks, and its uncontrolled resource consumption could lead to significant operational impact. Limited source information is available, and additional verification tasks are recommended.
Official resources
-
CVE-2026-45591 CVE record
CVE.org
-
CVE-2026-45591 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-09T17:17:26.933Z and has not been modified since then.