.NET Framework
CVE-2026-23666 — .NET Framework Denial of Service Vulnerability
Executive Summary
Improper input validation in .NET Framework allows an unauthorized attacker to deny service over a network.
Overview
7.5
CVSS HIGH
Critical
MS Severity
Not Exploited
MS Exploit Status
Less Likely
MS Exploit Likelihood
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
ATTACK VECTOR
Network
ATTACK COMPLEXITY
Low
PRIVILEGES REQUIRED
None
USER INTERACTION
None
SCOPE
Unchanged
CONFIDENTIALITY
None
INTEGRITY
None
AVAILABILITY
High
EXPLOIT CODE MATURITY
Proof-of-Concept
REMEDIATION LEVEL
Official Fix
REPORT CONFIDENCE
Confirmed
Temporal Score: 6.7
EPSS Score
0.0103
probability of exploitation in the next 30 days
0.59185 percentile - updated 2026-06-21
View on FIRST.org
Affected Products
49 affected products
| Product | KB Article | Severity | Impact | Restart Required |
|---|---|---|---|---|
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems | 5082413 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems | 5082413 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems | 5082413 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems | 5082414 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for ARM64-based Systems | 5082414 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems | 5082414 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems | 5082426 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems | 5082426 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems | 5082426 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems | 5082426 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems | 5082426 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems | 5082426 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 | 5082427 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) | 5082427 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems | 5082419 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems | 5082419 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems | 5082419 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems | 5082419 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems | 5082419 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems | 5082419 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for ARM64-based Systems | 5082424 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for x64-based Systems | 5082424 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems | 5082424 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems | 5082424 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems | 5082420 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems | 5082420 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM64-based Systems | 5082417 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems | 5082417 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems | 5082421 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems | 5082421 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 | 5082425 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) | 5082425 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022, 23H2 Edition (Server Core installation) | 5082418 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 | 5082417 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) | 5082417 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 | 5082398 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) | 5082398 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 | 5082406 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) | 5082406 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 | 5082400 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) | 5082400 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 | 5082402 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) | 5082402 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems | 5082411 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems | 5082411 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 | 5082403 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) | 5082403 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 | 5082404 (Security Update) |
Critical | Denial of Service | Maybe |
| Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) | 5082404 (Security Update) |
Critical | Denial of Service | Maybe |
Patches
18 patches
| Article | Type | Restart |
|---|---|---|
5082413 |
Security Update | Maybe |
5082414 |
Security Update | Maybe |
5082426 |
Security Update | Maybe |
5082427 |
Security Update | Maybe |
5082419 |
Security Update | Maybe |
5082424 |
Security Update | Maybe |
5082420 |
Security Update | Maybe |
5082417 |
Security Update | Maybe |
5082421 |
Security Update | Maybe |
5082425 |
Security Update | Maybe |
5082418 |
Security Update | Maybe |
5082398 |
Security Update | Maybe |
5082406 |
Security Update | Maybe |
5082400 |
Security Update | Maybe |
5082402 |
Security Update | Maybe |
5082411 |
Security Update | Maybe |
5082403 |
Security Update | Maybe |
5082404 |
Security Update | Maybe |
Known Exploits
No known exploits have been linked for this CVE yet. When available, exploit references will be sourced from public repositories and may be unverified, incomplete, or non-functional. Always review code carefully before use in any environment.
Acknowledgments
Anonymous
References
On This Page