EXECUTIVE SUMMARY:
The three vulnerabilities affecting the Microsoft .NET ecosystem, including .NET Core, ASP.NET Core, and Windows Desktop Runtime components, could allow attackers to perform privilege escalation, denial-of-service (DoS), and tampering attacks by exploiting improper input validation and memory-handling weaknesses in affected .NET runtime packages. These flaws may be leveraged to disrupt application availability, escalate privileges on targeted systems, or compromise data integrity. The issues impact multiple architectures and operating systems, highlighting the importance of immediate patching and redeployment of self-contained applications to reduce exposure. CVE-2026-35433 with a CVSS score of 7.3 – This vulnerability allows an unauthorized attacker to elevate privileges locally. It affects various package versions of nuget/Microsoft.WindowsDesktop.App.Runtime. An attacker could exploit this vulnerability by sending a specially crafted file to a vulnerable system. CVE-2026-42899 with a CVSS score of 7.5 – This vulnerability allows an unauthorized attacker to deny service over a network. It affects various package versions of nuget/Microsoft.AspNetCore.App.Runtime. An attacker could exploit this vulnerability by sending a specially crafted file to a vulnerable system. CVE-2026-32175 with a CVSS score of 7.5 – This vulnerability allows an unauthorized attacker to write arbitrary files and directories to certain locations on a vulnerable system. It affects various package versions of nuget/Microsoft.NetCore.App.Runtime. An attacker could exploit this vulnerability by sending a specially crafted file to a vulnerable system.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
The three vulnerabilities affecting the Microsoft .NET ecosystem, including .NET Core, ASP.NET Core, and Windows Desktop Runtime components, could allow attackers to perform privilege escalation, denial-of-service (DoS), and tampering attacks by exploiting improper input validation and memory-handling weaknesses in affected .NET runtime packages. These flaws may be leveraged to disrupt application availability, escalate privileges on targeted systems, or compromise data integrity. The issues impact multiple architectures and operating systems, highlighting the importance of immediate patching and redeployment of self-contained applications to reduce exposure. CVE-2026-35433 with a CVSS score of 7.3 – This vulnerability allows an unauthorized attacker to elevate privileges locally. It affects various package versions of nuget/Microsoft.WindowsDesktop.App.Runtime. An attacker could exploit this vulnerability by sending a specially crafted file to a vulnerable system. CVE-2026-42899 with a CVSS score of 7.5 – This vulnerability allows an unauthorized attacker to deny service over a network. It affects various package versions of nuget/Microsoft.AspNetCore.App.Runtime. An attacker could exploit this vulnerability by sending a specially crafted file to a vulnerable system. CVE-2026-32175 with a CVSS score of 7.5 – This vulnerability allows an unauthorized attacker to write arbitrary files and directories to certain locations on a vulnerable system. It affects various package versions of nuget/Microsoft.NetCore.App.Runtime. An attacker could exploit this vulnerability by sending a specially crafted file to a vulnerable system.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Microsoft.WindowsDesktop.App.Runtime, Microsoft.AspNetCore.App.Runtime and Microsoft.NetCore.App.Runtime to below version: CVE-2026-35433: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35433 CVE-2026-42899: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42899 CVE-2026-32175: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32175
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-8x9c-mqxv-q2pp
https://github.com/advisories/GHSA-9v76-4qcc-frgh
https://github.com/advisories/GHSA-rg75-q538-x34v