VYPR
High severity7.5NVD Advisory· Published May 12, 2026· Updated May 13, 2026

CVE-2026-42899

CVE-2026-42899

Description

Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.AspNetCore.App.Runtime.win-armNuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.win-x64NuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.win-x86NuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.linux-armNuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet
>= 8.0.0, < 8.0.278.0.27
Microsoft.AspNetCore.App.Runtime.win-armNuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.win-armNuGet
>= 10.0.0, < 10.0.810.0.8
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet
>= 10.0.0, < 10.0.810.0.8
Microsoft.AspNetCore.App.Runtime.win-x64NuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.win-x64NuGet
>= 10.0.0, < 10.0.810.0.8
Microsoft.AspNetCore.App.Runtime.win-x86NuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.win-x86NuGet
>= 10.0.0, < 10.0.810.0.8
Microsoft.AspNetCore.App.Runtime.linux-armNuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.linux-armNuGet
>= 10.0.0, < 10.0.810.0.8
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet
>= 10.0.0, < 10.0.810.0.8
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet
>= 10.0.0, < 10.0.810.0.8
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet
>= 10.0.0, < 10.0.810.0.8
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet
>= 10.0.0, < 10.0.810.0.8
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet
>= 10.0.0, < 10.0.810.0.8
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet
>= 10.0.0, < 10.0.810.0.8
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet
>= 9.0.0, < 9.0.169.0.16
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet
>= 10.0.0, < 10.0.810.0.8

Affected products

48

Patches

Vulnerability mechanics

References

5

News mentions

2