CVE-2018-0765
Description
A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents, aka ".NET and .NET Core Denial of Service Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.7.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.7/4.7.1, Microsoft .NET Framework 4.6, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6.2/4.7/4.7.1, .NET Core 2.0, Microsoft .NET Framework 4.7.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in .NET/.NET Core when processing specially crafted XML documents can cause excessive resource consumption and service unavailability.
Vulnerability
A denial of service vulnerability exists in .NET and .NET Core when the XML parser improperly processes certain XML documents. The affected packages include System.Security.Cryptography.Xml (NuGet) versions before 4.4.2, and multiple .NET Framework versions: 2.0, 3.0, 3.5, 3.5.1, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2, as well as .NET Core 2.0 [1][2].
Exploitation
An attacker can exploit this vulnerability by providing a specially crafted XML document to an affected application. No authentication or user interaction is required; the attack can be delivered remotely via any application that processes XML input, such as a web service or file upload [1][2].
Impact
Successful exploitation leads to a denial of service condition. The affected system may become unresponsive or crash due to excessive resource consumption (e.g., CPU or memory), potentially interrupting legitimate service operations [1][2].
Mitigation
Microsoft released updates in May 2018 for the affected .NET Framework versions. For the NuGet package System.Security.Cryptography.Xml, the fixed version is 4.4.2 or later [2]. Administrators should apply the latest security updates via Windows Update or by upgrading the affected NuGet package [1][2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
System.Security.Cryptography.XmlNuGet | < 4.4.2 | 4.4.2 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-35hc-x2cw-2j4vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0765ghsaADVISORY
- www.securityfocus.com/bid/104060ghsavdb-entryx_refsource_BIDWEB
- www.securitytracker.com/id/1040851ghsavdb-entryx_refsource_SECTRACKWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0765ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.