CVE-2026-42899: Microsoft Security Advisory CVE-2026-42899 – ASP.NET Core Denial of Service Vulnerability

May 18, 2026

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

Loop with unreachable exit condition (‘infinite loop’) in ASP.NET Core allows an unauthorized attacker to deny service over a network.

References

github.com/advisories/GHSA-9v76-4qcc-frgh
github.com/dotnet/announcements/issues/397
github.com/dotnet/aspnetcore/security/advisories/GHSA-9v76-4qcc-frgh
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42899
nvd.nist.gov/vuln/detail/CVE-2026-42899

Code Behaviors & Features

Detect and mitigate CVE-2026-42899 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →