Microsoft has included a fix for a notable ASP.NET Core denial-of-service (DoS) vulnerability in its June 2026 Patch Tuesday release. The vulnerability, tracked as CVE-2026-45591, carries an Important severity rating and stems from uncontrolled resource consumption within the ASP.NET Core web framework. It affects .NET 8.0, .NET 9.0, .NET 10.0, and Visual Studio 2026, potentially allowing an unauthenticated attacker to exhaust system resources and disrupt service availability.

What Is CVE-2026-45591?

CVE-2026-45591 is a denial-of-service vulnerability in ASP.NET Core that arises when the framework improperly handles certain types of requests or input. The specific technical details have not been fully disclosed, but Microsoft categorizes it under “uncontrolled resource consumption,” a type of flaw where an application fails to limit the amount of resources—such as memory, CPU, or file handles—it uses in response to a request. An attacker can exploit this by sending specially crafted requests to an affected web application, causing it to consume excessive resources and become unresponsive to legitimate users.

The vulnerability was published on June 9, 2026, as part of Microsoft’s scheduled Patch Tuesday updates. It is classified as Important rather than Critical, indicating that while exploitation can lead to significant service disruption, it does not allow code execution or elevation of privileges. Nonetheless, for internet-facing ASP.NET Core applications, a DoS attack can result in downtime, lost revenue, and degraded user experience.

ASP.NET Core in the Crosshairs

ASP.NET Core is a cross-platform, high-performance framework for building modern web applications and APIs. Its widespread adoption makes it a lucrative target for attackers. Denial-of-service vulnerabilities in web frameworks are particularly dangerous because they often require no authentication and can be triggered with minimal interaction. In the case of CVE-2026-45591, the underlying issue is resource mismanagement, which could be exploited by a remote attacker simply by sending a crafted HTTP request or payload.

Similar past vulnerabilities in ASP.NET Core, such as CVE-2023-36049, involved HTTP/2 connection handling flaws, while others targeted JSON deserialization quirks. Uncontrolled resource consumption bugs often stem from missing limits on request parameters, unvalidated inputs that trigger recursive processing, or inadequate throttling of async operations. Without the full advisory from Microsoft, the exact vector remains unclear, but the “uncontrolled resource consumption” label strongly points to a flaw where the runtime fails to cap resource usage under certain conditions.

Affected Products and Patch Details

The advisory impacts a broad swath of the .NET ecosystem. Specifically, the following versions are vulnerable and require patching:

  • .NET 8.0 (all platforms)
  • .NET 9.0 (all platforms)
  • .NET 10.0 (all platforms)
  • Visual Studio 2026 (all editions)

Visual Studio 2026 is listed likely because it ships with a specific version of the .NET SDK or runtime, or because the IDE’s own services (like debugging or local development server) use a vulnerable ASP.NET Core component. Developers who use Visual Studio 2026 for web development should ensure they install the latest update, which will also update the bundled .NET SDK.

Microsoft has released patches for each affected version. For .NET, updates are distributed via:

  • Official .NET SDK and runtime downloads from the .NET website
  • NuGet packages for ASP.NET Core shared framework
  • Windows Update (for runtime and hosting bundles on Windows)
  • Package managers on Linux (apt, yum, etc.)
  • Visual Studio installer (for VS-integrated tooling and SDK)

Specific KB numbers or patch builds were not enumerated in the initial advisory, but they should be available on the Microsoft Security Response Center (MSRC) page for CVE-2026-45591. If you manage builds through Docker images, updated container images should appear on Microsoft Artifact Registry.

Severity and Exploitability

The Important severity rating reflects the potential impact while acknowledging that the attack is not trivially automated in all scenarios. Microsoft often assesses DoS flaws as Important unless they can be triggered remotely and without user interaction, which is true for many web server vulnerabilities. The CVSS (Common Vulnerability Scoring System) vector and score were not disclosed at the time of announcement, but Important typically corresponds to a base score between 5.5 and 7.5.

Exploitability of uncontrolled resource consumption depends on the specific coding pattern. If the vulnerable code path is commonly hit by default in ASP.NET Core applications (e.g., in middleware, request parsing, or authentication flows), the risk is higher. Conversely, if it exists only in a rarely used component or requires specific configuration, the immediate danger is lower. Nonetheless, any public-facing ASP.NET Core app should be updated without delay.

Proof-of-concept exploits are not yet known, but given the attention Patch Tuesday updates receive, mature attack tools could emerge within days. Security teams should assume that after June 9, 2026, the vulnerability is public knowledge and plan accordingly.

Real-World Impact and Mitigations Before Patching

A successful DoS attack against an ASP.NET Core application could make the service unavailable to users, causing operational disruption. For e-commerce sites, APIs backing mobile apps, or SaaS platforms, downtime translates directly to financial loss and reputational damage. In worst-case scenarios, a crafted request could cause the worker process to crash, triggering an outage until the process restarts.

If you cannot patch immediately, consider temporary mitigations:

  • Web Application Firewall (WAF) rules: Deploy rules to block anomalous requests that might target resource exhaustion.
  • Rate limiting: Aggressively rate-limit unauthenticated endpoints or suspicious patterns.
  • Resource governance: Configure application pool recycling parameters to quickly restart hung processes.
  • Disable affected features: If Microsoft’s advisory later pinpoints a specific middleware or component, disable it temporarily.

However, mitigation is rarely a substitute for patching. The patch addresses the root cause, and delaying only widens the window for opportunistic attackers.

How to Apply the Patch

For .NET Developers

Update your .NET SDK and runtime to the patched version. If you use global.json to pin your SDK version, update it to the new version number. Then rebuild and redeploy your applications.

On Windows, you can download the installer from the .NET downloads page. On Linux, use your distribution’s package manager (e.g., sudo apt update && sudo apt install dotnet-sdk-8.0). On macOS, the installer or Homebrew can be used.

Confirm the update with dotnet --info, ensuring the runtime version matches the patch revision.

For Visual Studio 2026

Launch the Visual Studio Installer and apply the latest update. This will also update the bundled .NET SDK and the ASP.NET Core development server. Check for updates by selecting “Check for updates” from the Visual Studio notification hub or the Installer’s update channel.

For Docker and Container Users

Pull the latest base images from the Microsoft Container Registry. For example:

  • mcr.microsoft.com/dotnet/aspnet:8.0
  • mcr.microsoft.com/dotnet/sdk:8.0

Make sure to retag your images and rebuild if you use multi-stage builds.

For System Administrators Hosting Runtimes

If you install the ASP.NET Core Hosting Bundle on Windows Server, download and run the latest bundle from the .NET site. Similarly, for Linux web servers, update the aspnetcore-runtime-8.0 (or 9.0/10.0) package.

Microsoft’s Patch Tuesday cadence ensures that vulnerabilities like CVE-2026-45591 are addressed on a predictable schedule. The .NET team has historically been prompt in closing DoS vectors, often releasing out-of-band updates for critical flaws. The Important rating here suggests that while the vulnerability is significant, it did not warrant an emergency out-of-cycle patch.

In recent years, ASP.NET Core has faced a handful of DoS vulnerabilities related to HTTP/2, Kestrel, and JSON serialization. The shift toward cloud-native and containerized workloads means that even a DoS can have cascading effects if autoscaling mechanisms fail to mitigate the resource drain.

Community Reactions and Advisory

Following the release, developer forums and social media channels have begun discussing the impact. Some early anecdotal reports indicate confusion over which Visual Studio components are vulnerable. Microsoft lists “Visual Studio 2026” broadly, but it likely encompasses the web development workload that includes the ASP.NET Core runtime. Developers using Visual Studio purely for desktop application development may be less exposed, but updating is still recommended to close any potential vector.

Security researchers have cautioned that DoS vulnerabilities are sometimes chained with other bugs to achieve privilege escalation or remote code execution. Though none of that is indicated for CVE-2026-45591, a patched system is always the safest posture.

The advisory marks the first time .NET 10.0 has been included in a Patch Tuesday since its release earlier in 2026. .NET 10 follows the now-annual release cadence, and this vulnerability underscores the need for all supported versions to receive timely patches. Microsoft’s policy typically supports each .NET version for 18 months from release (for the standard-term support), meaning .NET 8.0 and 9.0 are likely still under support, as is the new 10.0.

Conclusion and Next Steps

CVE-2026-45591 is a tangible reminder that even modern, secure-by-design frameworks like ASP.NET Core can harbor resource exhaustion flaws. With the June 2026 Patch Tuesday now public, threat actors have all the information they need to target unpatched servers.

For technical decision-makers, immediate action should include:

  1. Assess your exposure: Inventory all applications and servers running ASP.NET Core on .NET 8, 9, or 10.
  2. Prioritize internet-facing applications: Apply patch within 24 hours.
  3. Update development environments: Patch Visual Studio 2026 and SDKs to prevent the accidental reintroduction of vulnerable output during development.
  4. Monitor for unusual behavior: After patching, watch for signs of attempted exploitation, such as spikes in 503 errors or high resource utilization.

Staying current with Patch Tuesday updates is an essential part of a robust security hygiene. While CVE-2026-45591 is classified as Important, the operational impact of a successful DoS attack can be severe. Apply the patch, update your toolchains, and keep an eye on any follow-up advisories from Microsoft that might reveal additional nuance about this vulnerability.