CVE-2026-54778
Received Received - Intake

Unix Domain Socket Identity Spoofing in CoreWCF

Vulnerability report for CVE-2026-54778, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF UnixDomainSocket POSIX peer identity resolution uses non-reentrant getpwuid and getgrgid calls, allowing concurrent connections to attribute one connection's identity to another or crash the host process under contention. This issue is fixed in versions 1.8.1 and 1.9.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
corewcf corewcf to 1.8.1 (inc)
corewcf corewcf to 1.9.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-362 The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-825 The product dereferences a pointer that contains a location for memory that was previously valid, but is no longer valid.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in CoreWCF, a port of the Windows Communication Foundation service side to .NET Core. Before versions 1.8.1 and 1.9.1, the UnixDomainSocket POSIX peer identity resolution used non-reentrant system calls getpwuid and getgrgid. Because these calls are not safe for concurrent use, multiple simultaneous connections could cause one connection's identity to be incorrectly attributed to another connection or cause the host process to crash under contention.

Impact Analysis

The vulnerability can lead to incorrect identity attribution between concurrent connections, meaning that one connection might be mistakenly recognized as another. This can cause security issues such as unauthorized access or data leakage. Additionally, the host process may crash under contention, leading to denial of service.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade CoreWCF to version 1.8.1 or 1.9.1 or later, where the issue with UnixDomainSocket POSIX peer identity resolution has been fixed.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-54778. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart