CVE-2026-42899 Overview
CVE-2026-42899 is a denial-of-service vulnerability in ASP.NET Core caused by a loop with an unreachable exit condition. An unauthorized remote attacker can trigger an infinite loop over the network, exhausting CPU resources on the affected host. The flaw is tracked under CWE-835 (Loop with Unreachable Exit Condition).
The vulnerability affects Microsoft .NET deployments running on Windows, Linux, and macOS. No authentication or user interaction is required for exploitation, making any internet-facing ASP.NET Core service a potential target.
Critical Impact
An unauthenticated remote attacker can send crafted network requests that drive an ASP.NET Core worker into an infinite loop, producing sustained CPU exhaustion and service outage.
Affected Products
- Microsoft .NET (ASP.NET Core runtime)
- Microsoft Windows hosts running ASP.NET Core
- Apple macOS and Linux hosts running ASP.NET Core
Discovery Timeline
- 2026-05-12 - CVE-2026-42899 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42899
Vulnerability Analysis
The issue resides in ASP.NET Core request-processing logic that contains a loop whose termination condition can never become true when fed specific attacker-controlled input. When a vulnerable code path is reached, the worker thread enters a non-terminating execution state. Subsequent valid requests queue behind the stalled thread, and additional malicious requests multiply the impact across the thread pool.
The weakness maps to CWE-835. It is a classic algorithmic availability defect rather than a memory-corruption bug. Confidentiality and integrity are unaffected, but availability impact is high because each successful request consumes a worker indefinitely.
Microsoft has published advisory details at the Microsoft Security Update CVE-2026-42899 guide.
Root Cause
The loop relies on a state variable that the parser fails to advance for certain malformed inputs. Because the exit condition depends on that variable, iteration continues forever. The defect is platform-independent and reproduces on every operating system where the affected .NET runtime executes.
Attack Vector
Exploitation requires only network reachability to an ASP.NET Core endpoint. The attacker submits a crafted HTTP request that traverses the defective code path. No credentials, cookies, or prior session state are needed. Repeated requests amplify resource exhaustion until the host becomes unresponsive.
No public proof-of-concept is listed in CISA KEV, ExploitDB, or referenced PoC repositories at the time of publication. The EPSS probability is 0.037%, reflecting low observed exploitation activity to date.
Detection Methods for CVE-2026-42899
Indicators of Compromise
- Sustained high CPU utilization on dotnet or w3wp.exe worker processes without a corresponding rise in completed requests.
- HTTP request queue length growing on Kestrel or IIS while throughput drops to near zero.
- Repeated requests from a single source to ASP.NET Core endpoints immediately preceding the CPU spike.
- Thread dumps showing many worker threads stuck inside the same ASP.NET Core parsing or routing function.
Detection Strategies
- Baseline CPU and request-latency metrics per ASP.NET Core service and alert on deviations that persist beyond normal traffic bursts.
- Correlate web access logs with process telemetry to identify request patterns that precede worker thread starvation.
- Use behavioral endpoint telemetry, such as the Singularity Platform agent on Windows, Linux, and macOS hosts, to flag anomalous long-running dotnet threads.
Monitoring Recommendations
- Forward Kestrel, IIS, and reverse-proxy logs into a centralized SIEM such as Singularity Data Lake for correlation with host metrics.
- Track ASP.NET Core performance counters including Requests Queued, Requests Executing, and per-process CPU time.
- Alert on health-probe failures and 5xx surges from upstream load balancers fronting .NET services.
How to Mitigate CVE-2026-42899
Immediate Actions Required
- Apply the Microsoft .NET security update referenced in the Microsoft Security Update CVE-2026-42899 guide to all affected runtimes.
- Inventory every host running ASP.NET Core across Windows, Linux, and macOS, and prioritize internet-facing services.
- Restart dotnet worker processes after patching to ensure the vulnerable image is no longer resident in memory.
Patch Information
Microsoft has issued updated .NET runtime and SDK packages addressing the defective loop. Install the latest patch level for the .NET major version in use (for example, the current servicing release for .NET 8 or .NET 9). Container images that bundle the runtime must be rebuilt from updated base images and redeployed.
Workarounds
- Place a web application firewall or reverse proxy in front of ASP.NET Core endpoints and enforce request size, timeout, and rate limits.
- Configure Kestrel RequestTimeout and per-connection limits to terminate long-running requests automatically.
- Restrict exposure of non-essential ASP.NET Core endpoints to trusted networks until patching is complete.
- Monitor and auto-recycle worker processes that exceed CPU thresholds to limit the duration of any successful attack.
# Configuration example: enforce request timeouts in ASP.NET Core (Program.cs)
builder.WebHost.ConfigureKestrel(options =>
{
options.Limits.KeepAliveTimeout = TimeSpan.FromSeconds(30);
options.Limits.RequestHeadersTimeout = TimeSpan.FromSeconds(10);
options.Limits.MaxRequestBodySize = 1_048_576; // 1 MB
});
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
