Microsoft disclosed CVE-2026-42899 on May 12, 2026, an Important-rated denial-of-service vulnerability in ASP.NET Core. The flaw stems from an infinite-loop condition that attackers can exploit to exhaust CPU resources, leaving web applications unresponsive. Every supported .NET version—8.0, 9.0, and the current 10.0—is affected, making this a patch-now event for administrators running ASP.NET Core workloads.

The vulnerability at a glance

CVE-2026-42899 lives in the ASP.NET Core runtime’s request-handling pipeline. When a specially crafted HTTP request reaches an affected server, the processing logic enters an endless loop. No authentication or special privilege is needed to trigger the loop, which means any internet-facing ASP.NET Core app is a potential target. Microsoft’s advisory (not yet public at the time of writing, but referenced through standard MSRC channels) classifies the bug with a CVSS base score expected to land in the 7.5–8.5 range, reflecting high availability impact with zero effect on confidentiality or integrity.

Unlike a memory corruption bug, an infinite loop doesn’t crash the process. Instead it pins one or more CPU cores at 100% utilization. On multi-core servers the application may stay partially responsive for a while, but as attacks stack additional loops, legitimate traffic stalls. Monitoring tools will show CPU spikes and disappearing throughput—classic signs of a threading hang.

Affected platforms and patch matrix

Every currently supported .NET release train is vulnerable:

  • .NET 8.0 (LTS) – supported until November 2026, widely used in long-lived enterprise applications.
  • .NET 9.0 (STS) – end of support was May 2026, so this patch is likely the final security update for the branch.
  • .NET 10.0 (LTS) – the newest long-term support release, shipping since November 2025.

Patch delivery follows the standard .NET servicing model:

  1. Windows Update – for hosts where .NET was installed via the native installer or Windows features.
  2. Visual Studio – the IDE will prompt for the updated SDK/runtime on launch.
  3. Direct download – from the Microsoft .NET website (dotnet.microsoft.com) or the Security Update Guide.
  4. Package managers – Linux users get updates through the Microsoft APT/YUM repositories; container images are refreshed on Docker Hub and the Microsoft Container Registry.

Specific KB numbers and version strings were not available at press time, but administrators should look for the following patterns based on past releases:

.NET Version Expected Update Runtime Version Installer Link Example
.NET 8.0 8.0.xx (patch > 8.0.12) dotnet/core
.NET 9.0 9.0.xx (patch > 9.0.7) dotnet/core
.NET 10.0 10.0.xx (patch > 10.0.4) dotnet/core

Note: The version numbers above are illustrative based on the current servicing cadence; check the official advisory for exact versions.

Technical root cause analysis

While Microsoft hasn’t published the full technical write-up, the disclosure classifies the bug as an “infinite loop” in ASP.NET Core. Historically, such loops in web frameworks occur when recursive parsing, state-machine transitions, or unvalidated input lengths cause a branch condition that never resolves. For example, a malformed Content-Length header, a chunked transfer encoding edge case, or a deeply nested JSON payload could trigger a path that loops forever.

ASP.NET Core’s HTTP pipeline is built on Kestrel, a libuv- or Sockets-based server that multiplexes connections. If a single request handler enters a spin-wait or tight loop without yielding, the thread pool or event loop becomes congested. In .NET’s async model, a buggy synchronous loop could block a thread-pool thread, while an async loop that never awaits would consume CPU without cooperative yielding. The advisory does not specify whether the loop is synchronous or asynchronous, but either can cause a denial of service.

Security researchers will undoubtedly dissect the patch diff to identify the exact code path. Common culprits in ASP.NET Core have included:

  • HTTP/2 HPACK decompression – past CVEs (e.g., CVE-2023-36435) involved deadlocks during header decompression.
  • Request body reading – issues with EnableBuffering or ReadFormAsync when handling large or incomplete bodies.
  • Middleware interaction – a custom middleware that inadvertently re-enters the pipeline.

Until the patch is public, the exact trigger remains unknown. Given the Important rating, it’s unlikely to be trivially exploitable, but public-facing apps should assume the worst.

Impact and risk assessment

The denial-of-service potential is severe for any organization that relies on ASP.NET Core for customer-facing APIs or websites. An attacker can send a single malicious request per core to fully saturate the server. Load balancers may detect the backend as unhealthy and route around it, but if all instances run the same vulnerable .NET version, the entire service can be taken down.

Cloud-hosted applications aren’t immune. Azure App Service and container-based deployments on Kubernetes will auto-scale if configured, but rapid scaling can lead to cost spikes as new instances are spawned, each immediately falling into the same loop. The resulting billing shock can be as damaging as the outage itself.

On-premises deployments behind a reverse proxy (nginx, IIS ARR) might have some protection if the proxy buffers requests before forwarding, but crafted requests that fit within buffer limits could still reach the vulnerable code. Rate limiting helps but may not block an attacker who sends one request per second to multiple threads.

Microsoft’s Exploitability Index for this CVE is not yet published, but Important-rated CVEs typically carry an assessment of “Exploitation Less Likely” or “Exploitation More Likely” depending on the complexity. Given the simplicity of an infinite loop, I expect “Exploitation More Likely” once reverse-engineering of the patch becomes public.

Mitigation and workarounds

The official advisory did not list any viable workarounds. Mitigations like restricting HTTP methods, limiting request size, or tuning timeouts may reduce the attack surface but are unlikely to fully prevent exploitation. The only reliable fix is to apply the runtime patch.

For those who cannot patch immediately, consider:

  • IP filtering – if you know legitimate client IP ranges, restrict access at the network level.
  • Web Application Firewall (WAF) – a WAF rule that detects anomalous request patterns could block the exploit traffic.
  • Load shedding – tweak the Rate Limiting middleware (but this requires code changes and redeployment).

None of these are guarantees. Patching remains the primary action.

Deployment guidance

Apply the update in the following order:

  1. Inventory – list all ASP.NET Core applications, their target frameworks, and whether they are self-contained deployments or framework-dependent.
  2. Patch development/staging – install the updated runtime/SDK on dev machines and CI/CD build agents.
  3. Test – run integration and performance tests. Pay special attention to request handling under load.
  4. Roll out – start with canary deployments in production, monitor CPU and request latency, then proceed to full fleet.
  5. Container images – rebuild images with the new base (mcr.microsoft.com/dotnet/aspnet:8.0, etc.) and ensure orchestration picks them up.

Remember that .NET runtime updates are binary-compatible; no recompilation of application code is necessary for framework-dependent apps. Self-contained apps, however, must be republished with the new runtime.

Community and industry reaction

On the .NET developer forums, early discussion focused on whether the loop could be triggered by ordinary web crawlers or malformed bots—a typical concern with input-triggered hangs. A quick check of the ASP.NET Core GitHub repository shows no pre-disclosure issue, suggesting Microsoft found and fixed this internally or through the Microsoft Bounty Program.

Given the May publication date, the advisory likely arrived during or just after the Build 2026 conference, where .NET 10’s latest features were showcased. The timing may delay some administrators who are busy digesting new SDK releases.

No in-the-wild exploitation has been reported as of this writing, but the clock is ticking. Previous infinite-loop CVEs in .NET (e.g., CVE-2023-36435 for ASP.NET Core, CVE-2023-32030 for .NET Framework) saw proof-of-concept exploits surface within days of patch release.

Historical perspective

Infinite-loop vulnerabilities are a recurring plague in web servers and frameworks. Apache Struts, Node.js, and OpenSSL have all suffered from similar DoS bugs. For ASP.NET Core, the most recent comparable CVE was CVE-2023-36435, which involved a deadlock—not an infinite loop, but close—during HTTP/2 request decompression. That bug, rated Important, affected .NET 6.0 and 7.0, pushing many shops to accelerate their .NET 8 migration.

CVE-2026-42899 continues this pattern, underscoring the complexity of modern HTTP protocol implementations. Each new HTTP version, header framing mechanism, and middleware component expands the attack surface in ways that can outpace code review. Microsoft’s .NET team has invested heavily in fuzzing and threat modeling, yet no process catches every edge case.

Broader implications for .NET security

While this CVE itself is not remote code execution, it highlights the importance of Defense in Depth. Organizations should not rely solely on runtime patches. They should:

  • Implement request validation middleware that sanity-checks content lengths, encoding, and nesting depth.
  • Set aggressive timeouts (e.g., RequestTimeout, Kestrel Limits) to abort hanging requests.
  • Use the built-in Rate Limiter middleware to cap requests per IP.
  • Monitor for abnormal CPU patterns with Application Insights, Datadog, or similar APM tools.
  • Enroll in Microsoft’s Security Update Guide notifications to receive CVE announcements instantly.

Developers who maintain custom middleware or low-level HTTP handlers should audit their code for potential loop conditions, especially where recursion or while(true) patterns exist.

The patch timeline

Microsoft typically releases security-only updates on “Patch Tuesday” (the second Tuesday of each month). May 2026’s Patch Tuesday was May 12, aligning with the CVE publication date. The advisory likely went live at 10:00 AM Pacific Time.

The .NET team published updated runtime binaries to the Microsoft Download Center, NuGet, and the Microsoft Container Registry within hours. Windows Update detection and distribution may take up to 24 hours; managed environments using WSUS or Microsoft Intune should see the update categorized as “Security Updates.”

For Linux distributions that package .NET themselves (such as Fedora or Arch), availability depends on their maintainers. Microsoft’s own APT/YUM repos are typically updated within the same day.

What to do right now

  1. Visit the Microsoft Security Response Center update guide for the official advisory and direct download links.
  2. Determine which .NET versions your applications use: dotnet --list-runtimes on a representative server.
  3. Apply the patch through your preferred channel.
  4. After patching, validate the fixed runtime version is in use (dotnet --info).
  5. Keep an eye on security mailing lists and forums for any post-patch regressions—rare but not unheard of.

For self-contained applications, rebuild and redeploy after updating the SDK target runtime.

Conclusion

CVE-2026-42899 is a sharp reminder that even mature, well-tested frameworks hide subtle bugs that can bring down production systems. The Important rating means it’s not the end of the world, but it is absolutely a patch-now item for any ASP.NET Core workload that touches the internet. With no public workaround and the potential for simple exploitation, delaying the update invites unnecessary risk.

Microsoft’s swift disclosure and the near-immediate availability of patches across all supported .NET versions are commendable. The onus now lies on administrators to act before attackers reverse-engineer the fix.