Search for vulnerabilities
Vulnerability details: VCID-yp87-gy7h-aqcz
Vulnerability ID VCID-yp87-gy7h-aqcz
Aliases CVE-2021-26423
GHSA-rh58-r7jh-xhx3
Summary .NET Core Elevation of Privilege Vulnerability Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in .NET 5.0, .NET Core 3.1 and .NET Core 2.1 where .NET (Core) server applications providing WebSocket endpoints could be tricked into endlessly looping while trying to read a single WebSocket frame. ### Patches * If you're using .NET 5.0, you should download and install Runtime 5.0.9 or SDK 5.0.206 (for Visual Studio 2019 v16.8) or SDK 5.0.303 (for Visual Studio 2019 V16.10) from https://dotnet.microsoft.com/download/dotnet-core/5.0. * If you're using .NET Core 3.1, you should download and install Runtime 3.1.18 or SDK 3.1.118 (for Visual Studio 2019 v16.4) or 3.1.412 (for Visual Studio 2019 v16.7 or later) from https://dotnet.microsoft.com/download/dotnet-core/3.1. * If you're using .NET Core 2.1, you should download and install Runtime 2.1.29 or SDK 2.1.525 (for Visual Studio 2019 v15.9) or 2.1.817 from https://dotnet.microsoft.com/download/dotnet-core/2.1. #### Other Details - Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/194 - An Issue for this can be found at https://github.com/dotnet/runtime/issues/57175 - MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26423
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26423.json
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
epss 0.0242 https://api.first.org/data/v1/epss?cve=CVE-2021-26423
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-rh58-r7jh-xhx3
cvssv3.1 7.5 https://github.com/dotnet/announcements/issues/194
generic_textual HIGH https://github.com/dotnet/announcements/issues/194
cvssv3.1 7.5 https://github.com/dotnet/runtime/security/advisories/GHSA-rh58-r7jh-xhx3
cvssv3.1_qr HIGH https://github.com/dotnet/runtime/security/advisories/GHSA-rh58-r7jh-xhx3
generic_textual HIGH https://github.com/dotnet/runtime/security/advisories/GHSA-rh58-r7jh-xhx3
cvssv2 5.0 https://nvd.nist.gov/vuln/detail/CVE-2021-26423
cvssv3.1 7.5 https://nvd.nist.gov/vuln/detail/CVE-2021-26423
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2021-26423
cvssv3.1 7.5 https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423
generic_textual HIGH https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423
archlinux Medium https://security.archlinux.org/AVG-2277
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26423.json
https://api.first.org/data/v1/epss?cve=CVE-2021-26423
https://github.com/dotnet/announcements/issues/194
https://github.com/dotnet/runtime/security/advisories/GHSA-rh58-r7jh-xhx3
https://nvd.nist.gov/vuln/detail/CVE-2021-26423
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423
1990295 https://bugzilla.redhat.com/show_bug.cgi?id=1990295
AVG-2277 https://security.archlinux.org/AVG-2277
cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:.net_core:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microsoft:.net_core:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:powershell_core:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microsoft:powershell_core:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:visual_studio_2017:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microsoft:visual_studio_2017:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microsoft:visual_studio_2019:*:*:*:*:*:*:*:*
cpe:2.3:a:microsoft:visual_studio_2019:8.10:*:*:*:*:macos:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:microsoft:visual_studio_2019:8.10:*:*:*:*:macos:*:*
GHSA-rh58-r7jh-xhx3 https://github.com/advisories/GHSA-rh58-r7jh-xhx3
RHSA-2021:3142 https://access.redhat.com/errata/RHSA-2021:3142
RHSA-2021:3143 https://access.redhat.com/errata/RHSA-2021:3143
RHSA-2021:3147 https://access.redhat.com/errata/RHSA-2021:3147
RHSA-2021:3148 https://access.redhat.com/errata/RHSA-2021:3148
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-26423.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/dotnet/announcements/issues/194
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/dotnet/runtime/security/advisories/GHSA-rh58-r7jh-xhx3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2021-26423
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2021-26423
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26423
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.84491
EPSS Score 0.0242
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:59:21.403925+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-rh58-r7jh-xhx3/GHSA-rh58-r7jh-xhx3.json 37.0.0