CVE-2026-50506
Received Received - Intake

Denial of Service in ASP.NET Core

Vulnerability report for CVE-2026-50506, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Microsoft Corporation

Description

Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
microsoft asp.net_core *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Impact Analysis

If you are using a system or application built on ASP.NET Core, this vulnerability could impact you in the following ways:

  • Denial of Service (DoS): An attacker could exploit this vulnerability to crash your application or server, making it unavailable to legitimate users. This could disrupt business operations, lead to downtime, and result in financial or reputational damage.
  • Resource Exhaustion: The system may experience high CPU usage, memory consumption, or network bandwidth saturation, degrading performance for all users and potentially causing other services to fail.
  • No Authentication Required: Since the attack can be carried out by an unauthorized user over a network, it lowers the barrier for exploitation, increasing the risk of widespread attacks.
Executive Summary

CVE-2026-50506 is a vulnerability in ASP.NET Core where the software allocates resources without imposing limits or throttling. This means that an attacker can exploit this flaw to consume excessive system resources, such as memory or processing power, without any restrictions.

The vulnerability allows an unauthorized attacker to send requests or inputs that trigger uncontrolled resource allocation. Since there are no safeguards to limit the amount of resources consumed, the system can become overwhelmed, leading to a denial of service (DoS) condition.

This issue is classified as a network-based attack, meaning the attacker does not need physical access or special privileges to exploit it. The CVSS score of 7.5 indicates a high severity, primarily affecting the availability of the system.

Compliance Impact

This vulnerability can impact compliance with common standards and regulations in the following ways:

  • GDPR (General Data Protection Regulation): While GDPR primarily focuses on data privacy and protection, a denial of service attack could lead to service unavailability, indirectly affecting the availability of personal data. Under GDPR, organizations must ensure the confidentiality, integrity, and availability of personal data. Prolonged downtime due to this vulnerability could be seen as a failure to meet these requirements.
  • HIPAA (Health Insurance Portability and Accountability Act): HIPAA requires covered entities to ensure the availability and security of protected health information (PHI). A denial of service attack could disrupt access to PHI, violating HIPAA's availability requirements. Additionally, if the attack leads to unauthorized access or exposure of PHI, it could result in further compliance violations.
  • Other Standards (e.g., ISO 27001, NIST): Many cybersecurity frameworks emphasize the importance of maintaining system availability and protecting against denial of service attacks. Failure to mitigate this vulnerability could result in non-compliance with these standards, potentially leading to audits, fines, or loss of certifications.

It is important to address this vulnerability promptly to avoid potential compliance risks and ensure the continued security and availability of your systems.

Detection Guidance

Detecting this vulnerability on your network or system may require monitoring for unusual resource consumption patterns in ASP.NET Core applications. Since the vulnerability involves resource allocation without limits or throttling, you can look for signs of excessive memory usage, CPU spikes, or network traffic directed at ASP.NET Core services.

While specific commands are not provided in the context, you can use the following general approaches to monitor your system:

  • Use performance monitoring tools like Windows Performance Monitor (PerfMon) or Linux tools like top/htop to track memory and CPU usage of ASP.NET Core processes.
  • Check network logs for unusual traffic patterns targeting ASP.NET Core applications using tools like Wireshark or built-in logging in your web server (e.g., IIS, Kestrel).
  • Review ASP.NET Core application logs for repeated or abnormal requests that could indicate an attempt to exploit this vulnerability.

For precise detection, refer to Microsoft's official guidance or security tools that may provide specific indicators of compromise or detection methods.

Mitigation Strategies

To mitigate this vulnerability, follow these immediate steps:

  • Apply the latest security updates provided by Microsoft for ASP.NET Core. The patch for CVE-2026-50506 should address the resource allocation issue.
  • If a patch is not immediately available, implement rate limiting or request throttling on your ASP.NET Core applications to prevent excessive resource consumption. This can be done using middleware like ASP.NET Core Rate Limiting.
  • Restrict network access to ASP.NET Core applications using firewalls or network security groups to limit exposure to unauthorized attackers.
  • Monitor your ASP.NET Core applications for signs of exploitation, such as unusual spikes in resource usage or network traffic.

For detailed mitigation steps, refer to Microsoft's official update guide for CVE-2026-50506.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50506. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart