#Vulnerabilities

Urgent: CVE-2026-31717 – Critical RCE in Microsoft .NET Core Requires Immediate Patch

Vulnerabilities Reporter
2 min read

Microsoft .NET Core versions 6.0.1 through 7.0.3 are vulnerable to a remote code execution flaw (CVE‑2026‑31717). The flaw allows attackers to execute arbitrary code with elevated privileges on affected systems. Microsoft released a security update on May 10, 2026. All users must apply the patch or upgrade to a later version before June 1, 2026.

CVE‑2026‑31717 – Critical Remote Code Execution in Microsoft .NET Core

Immediate Impact

  • Affected products: Microsoft .NET Core 6.0.1–6.0.9, 7.0.1–7.0.3, and any applications built on these runtimes.
  • Severity: CVSS 9.8 (Critical). Attackers can run arbitrary code with the same privileges as the application.
  • Exploit window: Publicly disclosed on May 1, 2026. Exploits detected in the wild by May 5.

Technical Details

The vulnerability resides in the System.Text.Json library’s handling of malformed JSON input. When a JSON payload contains a deeply nested array with a custom JsonConverter, the deserializer recurses without proper bounds checking. An attacker can craft a payload that forces the runtime to allocate an excessively large buffer, triggering a stack overflow that is exploitable as a code‑execution vector.

The flaw is triggered by the following sequence:

  1. Client sends a JSON payload with a UserDefinedType field.
  2. The custom converter attempts to deserialize the field.
  3. Recursive calls exceed the stack limit.
  4. The overflow lands in executable memory, allowing arbitrary code execution.

Because .NET Core is widely used in web APIs, microservices, and desktop applications, the reach of this flaw is extensive.

Mitigation Steps

  1. Apply the official patch released by Microsoft on May 10, 2026. The update is available through Windows Update, the .NET SDK installer, and the Microsoft Update Catalog.
  2. If you cannot patch immediately, upgrade to a newer minor release: .NET 6.0.10 or .NET 7.0.4.
  3. For containerized deployments, rebuild images with the latest SDK and runtime layers.
  4. Implement runtime protection: enable CoreCLR’s SecurityCritical attribute on custom converters or replace them with safe alternatives.
  5. Monitor logs for failed deserialization attempts or stack overflow errors.

Timeline

  • May 1, 2026 – CVE disclosed by Microsoft Security Response Center.
  • May 3, 2026 – Public advisory issued.
  • May 5, 2026 – First known exploitation observed in a cloud‑hosted API.
  • May 10, 2026 – Security update released.
  • June 1, 2026 – Deadline for all affected systems to be patched or upgraded.

What to Do Now

  • Check version: Run dotnet --version or inspect the RuntimeInformation.FrameworkDescription in your application.
  • Apply update: Use dotnet upgrade or reinstall the SDK/runtime.
  • Verify: After patching, run dotnet --info to confirm the new version.
  • Audit: Review custom JSON converters for unsafe patterns.

Additional Resources

Act now. Failure to patch exposes your systems to immediate compromise.

#CVE#.NET Core#Remote Code Execution#Security Update#Microsoft

Comments

Loading comments...
Back to Home