CVE-2025-26682: ASP.NET Core and Visual Studio Denial of Service Vulnerability

7.5 CVSS

Description

Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.

Classification

CVE ID: CVE-2025-26682

CVSS Base Severity: HIGH

CVSS Base Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling

Affected Products

Vendor: Microsoft, Microsoft, Microsoft, Microsoft, Microsoft, Microsoft

Product: ASP.NET Core 8.0, Microsoft Visual Studio 2022 version 17.12, Microsoft Visual Studio 2022 version 17.13, Microsoft Visual Studio 2022 version 17.8, Microsoft Visual Studio 2022 version 17.10, ASP.NET Core 9.0

Exploit Prediction Scoring System (EPSS)

EPSS Score: 2.14% (probability of being exploited)

EPSS Percentile: 83.24% (scored less or equal to compared to others)

EPSS Date: 2025-05-07 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: true

References

https://nvd.nist.gov/vuln/detail/CVE-2025-26682
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26682

Timeline

2025-04-08 18:40:22 UTC
CVE

ASP.NET Core and Visual Studio Denial of Service Vulnerability