Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-4rcu-jd6x-ufeu
Vulnerability ID VCID-4rcu-jd6x-ufeu
Aliases CVE-2021-26423
GHSA-rh58-r7jh-xhx3
Summary .NET Core Elevation of Privilege Vulnerability Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in .NET 5.0, .NET Core 3.1 and .NET Core 2.1 where .NET (Core) server applications providing WebSocket endpoints could be tricked into endlessly looping while trying to read a single WebSocket frame. ### Patches * If you're using .NET 5.0, you should download and install Runtime 5.0.9 or SDK 5.0.206 (for Visual Studio 2019 v16.8) or SDK 5.0.303 (for Visual Studio 2019 V16.10) from https://dotnet.microsoft.com/download/dotnet-core/5.0. * If you're using .NET Core 3.1, you should download and install Runtime 3.1.18 or SDK 3.1.118 (for Visual Studio 2019 v16.4) or 3.1.412 (for Visual Studio 2019 v16.7 or later) from https://dotnet.microsoft.com/download/dotnet-core/3.1. * If you're using .NET Core 2.1, you should download and install Runtime 2.1.29 or SDK 2.1.525 (for Visual Studio 2019 v15.9) or 2.1.817 from https://dotnet.microsoft.com/download/dotnet-core/2.1. #### Other Details - Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/194 - An Issue for this can be found at https://github.com/dotnet/runtime/issues/57175 - MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26423
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26423.json
epss 0.03366 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.03366 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.03366 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.03366 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.03657 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.03657 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.03657 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.03657 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.03657 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-rh58-r7jh-xhx3
cvssv3.1 7.5 https://github.com/dotnet/announcements/issues/194
generic_textual HIGH https://github.com/dotnet/announcements/issues/194
cvssv3.1 7.5 https://github.com/dotnet/runtime/security/advisories/GHSA-rh58-r7jh-xhx3
cvssv3.1_qr HIGH https://github.com/dotnet/runtime/security/advisories/GHSA-rh58-r7jh-xhx3
generic_textual HIGH https://github.com/dotnet/runtime/security/advisories/GHSA-rh58-r7jh-xhx3
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2021-26423
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-26423
cvssv3.1 7.5 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423
generic_textual HIGH https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423
archlinux Medium https://security.archlinux.org/AVG-2277
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26423.json
https://api.first.org/data/v1/epss?cve=CVE-2021-26423
https://github.com/dotnet/announcements/issues/194
https://github.com/dotnet/runtime/security/advisories/GHSA-rh58-r7jh-xhx3
https://nvd.nist.gov/vuln/detail/CVE-2021-26423
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423
1990295 https://bugzilla.redhat.com/show_bug.cgi?id=1990295
AVG-2277 https://security.archlinux.org/AVG-2277
GHSA-rh58-r7jh-xhx3 https://github.com/advisories/GHSA-rh58-r7jh-xhx3
RHSA-2021:3142 https://access.redhat.com/errata/RHSA-2021:3142
RHSA-2021:3143 https://access.redhat.com/errata/RHSA-2021:3143
RHSA-2021:3147 https://access.redhat.com/errata/RHSA-2021:3147
RHSA-2021:3148 https://access.redhat.com/errata/RHSA-2021:3148
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26423.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/dotnet/announcements/issues/194
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/dotnet/runtime/security/advisories/GHSA-rh58-r7jh-xhx3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-26423
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.87356
EPSS Score 0.03366
Published At April 9, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T13:05:02.863860+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-rh58-r7jh-xhx3/GHSA-rh58-r7jh-xhx3.json 38.0.0