View all Vulnerabilities

CVE-2026-26171

Uncontrolled Resource Consumption
Improper Restriction of XML External Entity Reference
Affects
.NET Runtime / System.Security.Cryptography.Xml
in
.NET
No items found.
Versions
ASP.NET Core: >= 6.0.0 <= 6.0.39 >= 8.0.0 <= 8.0.25 >= 9.0.0 <= 9.0.14 <= 10.0.0 <= 10.0.5
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

.NET is a free, open-source, cross-platform framework for building modern apps and powerful cloud services. It consists of a runtime and a developer platform made up of tools, programming languages, and libraries for building many different types of applications. ASP.NET Core extends the .NET developer platform with tools and libraries specifically for building web apps. ASP.NET Core is the open-source version of ASP.NET, that runs on macOS, Linux, and Windows. ASP.NET Core was first released in 2016 and is a re-design of earlier Windows-only versions of ASP.NET.

A vulnerability (CVE-2026-26171) exists in applications using System.Security.Cryptography.Xml when EncryptedXml processing can be driven into uncontrolled resource consumption. This can allow an unauthorized attacker to deny service over the network by supplying malicious XML that triggers expensive or unsafe processing.

Per Microsoft’s April 2026 CVRF publication, this issue is classified as CWE-400: Uncontrolled Resource Consumption and CWE-611: Improper Restriction of XML External Entity Reference.

This issue affects .NET 6.0.0 <= 6.0.39 in NES-supported environments. Microsoft also serviced supported .NET releases in its April 14, 2026 security updates for .NET 8.0, .NET 9.0, and .NET 10.0.

Additionally, if you've deployed self-contained applications targeting impacted .NET 6 builds, these applications are also vulnerable and must be rebuilt and redeployed after the fixed runtime is applied.

Details

Module Info

  • Product: Any .NET application using System.Security.Cryptography.Xml
    • Any .NET 6.0 application running on .NET 6.0.39 or earlier.
    • Any .NET 8.0 application running on .NET 8.0.25 or earlier.
    • Any .NET 9.0 application running on .NET 9.0.14 or earlier.
    • Any .NET 10.0 application running on .NET 10.0.5 or earlier.
  • Affected components:
    • Microsoft.NETCore.App
    • System.Security.Cryptography.Xml
    • Affected versions:
    • .NET 6:
    • >= 6.0.0 <= 6.0.39
    • Microsoft-supported releases:
    • .NET 8.0 fixed in 8.0.26
    • .NET 9.0 fixed in 9.0.15
    • .NET 10.0 fixed in 10.0.6
    • GitHub repository:
    • System.Security.Cryptography.Xml: https://github.com/dotnet/runtime
    • Published packages: Download .NET (Linux, macOS, and Windows)
    • Package manager:
  • NuGet
    • Windows Installer
      • Linux package managers
      • Docker
      • Fixed in: NES for .NET 6.0.40
    • Key fixed files:
      • EncryptedXml.cs, XmlDecryptionTransform.cs, CanonicalizationDispatcher.cs
  • Additional fixed files:
    • EncryptedType.cs, EncryptedData.cs, EncryptedKey.cs, KeyInfo.cs, LocalAppContextSwitches.cs
    • Key tests:
  • EncryptedXmlTest.cs, EncryptedXmlTests.cs, XmlDsigC14NTransformTest.cs, XmlDsigExcC14NTransformTest.cs
  • Vulnerable branch:
    • nes-release-6.0.39 and earlier
    • Fixed branch:
    • nes-release-6.0.40
  • Commercial support availability: HeroDevs NES for .NET

Vulnerability Info

This Important-severity vulnerability is found in System.Security.Cryptography.Xml, specifically in EncryptedXml processing paths. The core issue is that attacker-controlled XML can trigger unsafe or excessively deep processing, resulting in uncontrolled resource consumption and denial of service. The Microsoft-serviced fix added safer transform handling and recursion or depth limits across the affected XML crypto paths.

Steps To Reproduce

  1. Set up a .NET project that uses System.Security.Cryptography.Xml.
    • Construct or receive attacker-controlled XML that flows into EncryptedXml processing.
  2. Use an input that forces expensive or recursive processing during XML decryption or transform handling.
    • Examples include malicious EncryptedXml inputs that abuse transform processing or excessive nested XML structures.
    • Call into EncryptedXml processing, such as DecryptDocument() or related XML crypto operations.
  3. Before the fix:
    • The library could consume excessive resources instead of rejecting unsafe input earlier.
  4. That behavior could allow an attacker to deny service over the network.
    • After the fix:
    • Unsafe transform handling is restricted and recursion or depth limits are enforced across the relevant processing paths.

Mitigation

.NET 6.x is End-of-Life and will not receive official Microsoft updates to address this issue. For more information see .NET and .NET Core official support policy.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to one of:
    • .NET Runtime >= 8.0.26
    • .NET Runtime >= 9.0.15
    • .NET Runtime >= 10.0.6
  • Leverage a commercial support partner like HeroDevs for post-EOL security support, including NES for .NET 6.0.40 or later.

Credits

  • Ludvig Pedersen
Pink arrow
Pink arrow
CVE-2024-35264
CVE-2024-38229
CVE-2025-21172
CVE-2025-21173
CVE-2025-21176
CVE-2025-24070
CVE-2025-7326
CVE-2025-55315
CVE-2026-26171
CVE-2026-32178
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
High
ID
CVE-2026-26171
PROJECT Affected
.NET Runtime / System.Security.Cryptography.Xml
Versions Affected
ASP.NET Core: >= 6.0.0 <= 6.0.39 >= 8.0.0 <= 8.0.25 >= 9.0.0 <= 9.0.14 <= 10.0.0 <= 10.0.5
NES Versions Affected
Published date
April 15, 2026
≈ Fix date
April 14, 2026
Fixed in
NES for .NET
Category
Uncontrolled Resource Consumption
Improper Restriction of XML External Entity Reference
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for .NET
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.