Microsoft patches publicly disclosed .NET DoS flaw that can crash apps with crafted requests

Microsoft has released security updates for CVE-2026-26127, a publicly disclosed denial-of-service vulnerability in .NET and Microsoft.Bcl.Memory. The flaw can let a remote, unauthenticated attacker crash a vulnerable application by sending malformed Base64Url input, according to Microsoft’s official .NET security advisory.

The issue affects .NET 9.0 and .NET 10.0 across all platforms and architectures, which means Windows, macOS, and Linux deployments all need attention. Microsoft says the bug comes from an out-of-bounds read and assigns it a CVSS 3.1 score of 7.5.

For most teams, the action item is clear. Update .NET 9 to 9.0.14, update .NET 10 to 10.0.4, and patch Microsoft.Bcl.Memory to the fixed versions if your app uses that package. Microsoft published those patched versions on March 10, 2026, as part of its March security update cycle.

What CVE-2026-26127 does

Microsoft says CVE-2026-26127 is a denial-of-service vulnerability caused by an out-of-bounds read when .NET decodes malformed Base64Url input. In practice, that means an attacker may be able to send specially crafted data that causes the target app to fail or stop responding.

The advisory lists the attack vector as network-based, requires no privileges, and needs no user interaction. That combination makes the flaw easier to trigger than many privilege-escalation or local-only bugs, even though Microsoft’s advisory does not describe active exploitation in the wild.

This is why the flaw matters even without a code execution angle. If an exposed API or service processes the vulnerable input path, attackers may be able to knock it offline and disrupt normal operations. That is an inference based on Microsoft’s DoS classification and the network attack vector in the advisory.

Affected software

Microsoft’s advisory says the vulnerability affects all platforms and all architectures for the impacted product lines. The affected products include .NET 9, .NET 10, and two Microsoft.Bcl.Memory package tracks.

Product	Affected versions	Patched version
.NET 9	9.0.0 through versions before 9.0.14	9.0.14
.NET 10	10.0.0 through versions before 10.0.4	10.0.4
Microsoft.Bcl.Memory 9.x	9.0.0 through versions before 9.0.14	9.0.14
Microsoft.Bcl.Memory 10.x	10.0.0 through versions before 10.0.4	10.0.4

Microsoft’s .NET advisory spells out the runtime package ranges in detail for Windows, Linux, and macOS runtimes, and it separately lists the patched Microsoft.Bcl.Memory package versions.

Why this .NET issue deserves quick patching

Microsoft’s advisory labels the flaw as publicly disclosed. That does not automatically mean attackers already exploit it at scale, but it does mean technical details are out in the open and defenders lose the advantage of secrecy.

Public disclosure often speeds up reverse engineering and proof-of-concept work. When the vulnerable code path sits inside internet-facing APIs or backend services, even a denial-of-service bug can become a real operational problem. That risk depends on where and how your app handles Base64Url input, but security teams should not ignore it. This is an inference based on the advisory and the affected decoding behavior.

March 2026 .NET security releases

Microsoft’s March 2026 .NET release announcement confirms the security update wave includes .NET 10.0.4, .NET 9.0.14, and .NET 8.0.25. However, the specific CVE-2026-26127 advisory itself names .NET 9.0, .NET 10.0, and Microsoft.Bcl.Memory as the affected products for this flaw.

That distinction matters. If you run .NET 8, you should still stay current because Microsoft shipped a March security release for that branch too, but the advisory for CVE-2026-26127 points directly to .NET 9, .NET 10, and the affected package versions.

What developers and admins should do now

Microsoft’s advisory gives direct package and runtime update guidance. Teams should update both the runtime and any affected NuGet package references where needed.

• Upgrade .NET 9 environments to 9.0.14.
• Upgrade .NET 10 environments to 10.0.4.
• Update Microsoft.Bcl.Memory 9.x to 9.0.14.
• Update Microsoft.Bcl.Memory 10.x to 10.0.4.
• Rebuild and redeploy applications after updating the package reference.
• Review logs for unexpected crashes or repeated malformed requests hitting exposed endpoints. This monitoring step is a best-practice recommendation based on the advisory’s DoS impact.

How to patch the NuGet package

Microsoft’s advisory includes official remediation steps for Visual Studio and the .NET CLI. Developers can update the package through the NuGet Package Manager, the Package Manager Console, or the CLI.

Method	Official action
Visual Studio UI	Open Manage NuGet Packages, go to Updates, select Microsoft.Bcl.Memory, then update
Package Manager Console	Run Update-Package -Id Microsoft.Bcl.Memory
.NET CLI	Run dotnet package update Microsoft.Bcl.Memory

After that, Microsoft says you must recompile and redeploy the application. The company also recommends updating runtimes and SDKs, although it notes that runtime or SDK changes are not required to patch this vulnerability unless you are targeting .NET 9 or higher.

Quick summary

Key point	Details
CVE	CVE-2026-26127
Impact	Denial of service
Root cause	Out-of-bounds read during malformed Base64Url decoding
Authentication required	No
User interaction required	No
CVSS 3.1	7.5
Fixed versions	.NET 9.0.14, .NET 10.0.4, Microsoft.Bcl.Memory 9.0.14 and 10.0.4
Disclosure status	Publicly disclosed

FAQ