High severity7.5NVD Advisory· Published Mar 10, 2026· Updated Apr 1, 2026

CVE-2026-26127

Description

Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
Microsoft.Bcl.MemoryNuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.linux-armNuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.linux-arm64NuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.linux-x64NuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.osx-arm64NuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.osx-x64NuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.win-armNuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.win-arm64NuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.win-x64NuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.NetCore.App.Runtime.win-x86NuGet	>= 9.0.0, < 9.0.14	9.0.14
Microsoft.Bcl.MemoryNuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.linux-armNuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.linux-arm64NuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.linux-x64NuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.osx-arm64NuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.osx-x64NuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.win-armNuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.win-x64NuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.win-x86NuGet	>= 10.0.0, < 10.0.4	10.0.4
Microsoft.NetCore.App.Runtime.win-arm64NuGet	>= 10.0.0, < 10.0.4	10.0.4

Affected products

Microsoft/Net
cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
Range: >=10.0.0,<10.0.4
Microsoft/Bcl.memory
cpe:2.3:a:microsoft:bcl.memory:*:*:*:*:*:*:*:*
Range: >=9.0.0,<9.0.14

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-73j8-2gch-69rqghsaADVISORY
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26127nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-26127ghsaADVISORY
github.com/dotnet/runtime/security/advisories/GHSA-73j8-2gch-69rqghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000