{
  "threat_severity" : "Important",
  "public_date" : "2026-06-09T17:05:29Z",
  "bugzilla" : {
    "description" : "dotnet: ASP.NET Core: Denial of Service via uncontrolled resource consumption",
    "id" : "2487224",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2487224"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.", "A flaw was found in ASP.NET Core SignalR and Blazor Server. A remote attacker could send a specially crafted MessagePack payload containing deeply nested arrays that trigger excessive recursion and cause a stack overflow. This issue may result in application termination and a denial of service condition" ],
  "statement" : "This vulnerability affects the MessagePack hub protocol implementation used by ASP.NET Core SignalR and Blazor Server. Red Hat Product Security has assessed this issue as an Important severity vulnerability.\nThe flaw occurs when processing deeply nested MessagePack arrays supplied by a remote attacker. Insufficient validation of message nesting depth may cause excessive recursion and trigger a stack overflow condition during message processing.\nSuccessful exploitation could allow an unauthenticated remote attacker to cause the affected application or service to terminate unexpectedly, resulting in a denial of service condition.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25111",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "dotnet8.0-0:8.0.128-1.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25112",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "dotnet9.0-0:9.0.118-1.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25115",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.2",
    "package" : "dotnet10.0-0:10.0.109-1.el10_2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:28007",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "dotnet8.0-0:8.0.128-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:28009",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "dotnet9.0-0:9.0.118-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25110",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet8.0-0:8.0.128-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25113",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet9.0-0:9.0.118-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-06-10T00:00:00Z",
    "advisory" : "RHSA-2026:25114",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet10.0-0:10.0.109-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-06-11T00:00:00Z",
    "advisory" : "RHSA-2026:25220",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet8.0-0:8.0.128-1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-06-11T00:00:00Z",
    "advisory" : "RHSA-2026:25221",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet9.0-0:9.0.118-1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-06-11T00:00:00Z",
    "advisory" : "RHSA-2026:25222",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet10.0-0:10.0.109-1.el9_8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions",
    "release_date" : "2026-06-23T00:00:00Z",
    "advisory" : "RHSA-2026:28227",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.4",
    "package" : "dotnet8.0-0:8.0.128-1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-06-22T00:00:00Z",
    "advisory" : "RHSA-2026:28011",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "dotnet8.0-0:8.0.128-1.el9_6"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-05-14T00:00:00Z",
    "advisory" : "RHSA-2026:17527",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet9-0-main-9.0.117-1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-06-17T00:00:00Z",
    "advisory" : "RHSA-2026:26638",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet10-0-main-10.0.109-1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-06-18T00:00:00Z",
    "advisory" : "RHSA-2026:26994",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet8-0-main-8.0.128-1.hum1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-45591\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-45591\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45591" ],
  "name" : "CVE-2026-45591",
  "mitigation" : {
    "value" : "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the relevant security updates when they become available.",
    "lang" : "en:us"
  },
  "csaw" : false
}