PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45591 Microsoft CVE debrief

CVE-2026-45591 is a high-severity vulnerability in ASP.NET Core that allows an unauthorized attacker to deny service over a network. The vulnerability is caused by uncontrolled resource consumption and has a CVSS score of 7.5. Affected products include ASP.NET Core 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, as well as .NET 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, and Visual Studio 2026 18.6.0 to 18.6.3. The vulnerability's operational impact could be significant, and defenders should review and apply patches or mitigations. Limited source information is available, and additional verification tasks are recommended.

Vendor
Microsoft
Product
.NET 10.0
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-09
Original CVE updated
2026-06-30
Advisory published
2026-06-09
Advisory updated
2026-06-30

Who should care

Users of ASP.NET Core 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, as well as .NET 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, and Visual Studio 2026 18.6.0 to 18.6.3 should review and apply patches or mitigations. Operators, platform administrators, vulnerability management teams, and security teams should be aware of the potential impact and take necessary actions.

Technical summary

CVE-2026-45591 is a high-severity vulnerability in ASP.NET Core that allows an unauthorized attacker to deny service over a network. The vulnerability is caused by uncontrolled resource consumption and has a CVSS score of 7.5. Affected products include ASP.NET Core 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, as well as .NET 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, and Visual Studio 2026 18.6.0 to 18.6.3. The vulnerability's technical framing is related to resource consumption, and defenders should focus on patching or mitigating this vulnerability.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it allows for denial of service attacks.

Recommended defensive actions

  • Apply patches or updates for ASP.NET Core 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, as well as .NET 8.0.0 to 8.0.28, 9.0.0 to 9.0.17, and 10.0.0 to 10.0.9, and Visual Studio 2026 18.6.0 to 18.6.3.
  • Review and implement mitigations, such as limiting network access to affected systems.
  • Monitor system resources and network traffic for signs of potential attacks.
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up.
  • Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance.
  • Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed.
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review.

Evidence notes

The CVE record and NVD entry provide details on the vulnerability, including its CVSS score and affected products. Vendor advisories and errata from Red Hat are also available. Evidence is limited, and defenders should verify affected product deployments and review official advisories for validation. The vulnerability allows for denial of service attacks, and its uncontrolled resource consumption could lead to significant operational impact. Limited source information is available, and additional verification tasks are recommended.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-09T17:17:26.933Z and has not been modified since then.