NewsSecurityDeveloper Tools

CVE-2026-45591: Patch ASP.NET Core SignalR DoS Now

139 views0
Abstract blue digital network with shield warning icon representing ASP.NET Core security vulnerability CVE-2026-45591
CVE-2026-45591 affects SignalR and Blazor Server in .NET 8, 9, and 10
ByteBotBy
Share

Microsoft shipped three .NET security patches on June 9 — and one of them can crash your ASP.NET Core app from the internet without a login. CVE-2026-45591 is a denial-of-service vulnerability in the MessagePack hub protocol used by SignalR and Blazor Server. An unauthenticated attacker sends deeply-nested MessagePack arrays, the parser recurses into a stack overflow, and your app goes down. CVSS 7.5. No active exploit yet, but the window is open. If you haven’t updated to .NET 8.0.28, 9.0.17, or 10.0.9, do it now.

How the Attack Works

The bug lives in the MessagePack hub protocol deserializer. MessagePack is a binary serialization format that SignalR supports as a higher-performance alternative to JSON. When a message arrives, the parser reads arrays recursively — with no depth limit. Send a message with arrays nested deep enough, and the parser blows the call stack, crashing the process.

What makes this dangerous at scale: the attack is network-accessible, requires zero authentication, and requires no user interaction. Any SignalR endpoint that accepts MessagePack-formatted messages is a valid target. The CVSS breakdown reflects this — attack vector is Network, complexity is Low, no privileges required, and availability impact is High.

Blazor Server uses SignalR internally for its circuit (UI state sync), but the MessagePack path only triggers if you explicitly add AddMessagePackProtocol() to your SignalR services. Default Blazor Server uses the JSON protocol and is not directly affected by this specific CVE. If you’re unsure whether your app uses MessagePack, check your Program.cs for that call.

The Patch Gap: Self-Contained Apps and Containers

This is where teams get caught out. Framework-dependent apps running on a host where the .NET runtime has been updated are fine. But two increasingly common deployment patterns are not automatically covered.

Self-contained apps bundle their own copy of the .NET runtime into the deployment artifact. Patching the host OS or the system-level .NET installation does nothing for them. You have to rebuild the app against the updated SDK to get the fix baked in.

Container images follow the same logic. If your containers run a base image that predates .NET 8.0.28, the vulnerability is still present regardless of what the host is running. Rebuild against an updated base image:

FROM mcr.microsoft.com/dotnet/aspnet:8.0.28
# Or use the rolling patch tag
FROM mcr.microsoft.com/dotnet/aspnet:8.0

CI/CD build agents with pinned .NET SDK installations are a third blindspot worth checking. If your build agent hosts any ASP.NET Core tooling and hasn’t been updated, it remains exposed.

Three CVEs, One Update

CVE-2026-45591 is not the only fix in the June 9 package. Two additional .NET vulnerabilities shipped alongside it, all fixed by the same update:

  • CVE-2026-45491 (CVSS 6.8): A path traversal vulnerability in System.Formats.Tar. An attacker can write arbitrary files outside the intended extraction directory via symbolic links — a Tar Slip variant that enables local privilege escalation.
  • CVE-2026-45490 (CVSS 6.0): Named pipe mishandling in the .NET SDK allows an authorized local attacker to create or truncate arbitrary files, enabling privilege escalation on the local machine.

All three are fixed in .NET 8.0.28, .NET 9.0.17, and .NET 10.0.9. One update, three vulnerabilities closed. See the .NET Blog’s June 2026 servicing update post for the full changelog.

How to Verify and Fix

Check what you’re running:

dotnet --version
dotnet list runtimes

If your runtime is below 8.0.28, 9.0.17, or 10.0.9, update through whichever channel fits your setup:

  • Windows: Windows Update, winget, or update Visual Studio 2026 to 18.6.3
  • Linux (Debian/Ubuntu): sudo apt-get update && sudo apt-get install dotnet-sdk-8.0
  • Linux (RHEL/Fedora): sudo dnf update dotnet-sdk-8.0
  • Docker: Rebuild with an updated base image
  • Self-contained apps: Rebuild against the updated SDK and redeploy

If you use the MessagePack NuGet package directly, the patched version is Microsoft.AspNetCore.SignalR.Protocols.MessagePack 10.0.7. The full advisory details are in the dotnet/announcements GitHub issue #405.

Patch Now, Not When an Exploit Appears

Microsoft rates exploitation as “less likely” — which means no known working exploit today. That’s a patching window, not an all-clear. A nearly identical attack class — SignalR DoS via recursive deserialization — has been used before. Stack overflow via nested deserialization is a well-understood primitive. Someone will build a proof of concept.

SignalR endpoints are frequently internet-facing by design: real-time dashboards, chat, live collaboration tools. Seventy percent of .NET web developers use ASP.NET Core (JetBrains 2025 State of .NET). The attack surface is not small. Patch your runtimes, rebuild your containers, and verify your self-contained deployments before “less likely” becomes “actively exploited.”

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:News