{"id":"CVE-2026-26130","details":"Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.","aliases":["BIT-aspnet-core-2026-26130","GHSA-4vgm-c2wm-63mw"],"modified":"2026-07-08T08:06:57.934110769Z","published":"2026-03-10T18:18:42.223Z","related":["ALSA-2026:4443","ALSA-2026:4445","ALSA-2026:4450","ALSA-2026:4451","ALSA-2026:4453","ALSA-2026:4454","ALSA-2026:4455","ALSA-2026:4456","ALSA-2026:4458","CGA-f43x-f635-vfq3","CGA-vp2h-wm6f-5ch8"],"database_specific":{},"references":[{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2026-26130"},{"type":"WEB","url":"https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-26130.json"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:10082"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:10083"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:10084"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:10085"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:10091"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:4443"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:4445"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:4450"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:4451"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:4453"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:4454"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:4455"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:4456"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:4458"},{"type":"ADVISORY","url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26130"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2446134"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dotnet/aspnetcore","events":[{"introduced":"3f1acb59718cadf111a0a796681e3d3509bb3381"},{"fixed":"ef18546e04f9b0127bbd7709b6af054cc18da98a"},{"introduced":"af22effae4069a5dfb9b0735859de48820104f5b"},{"fixed":"baa6b294e728e6171378b4e8c52e42e7c4d4ed63"},{"introduced":"7387de91234d3ef751fa50b3d1bfede4130213ff"},{"fixed":"233fc7812a61ec7edd51b9e04063f3ed77ec71fe"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:microsoft:asp.net_core:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"8.0.0"},{"fixed":"8.0.25"},{"introduced":"9.0.0"},{"fixed":"9.0.14"},{"introduced":"10.0.0"},{"fixed":"10.0.4"}]}}],"versions":["v8.0.24","v10.0.3","v8.0.23","v10.0.2","v10.0.1","v8.0.22","v10.0.0","v8.0.21","v8.0.20","v8.0.19","v8.0.18","v8.0.17","v8.0.16","v8.0.15","v8.0.14","v8.0.13","v8.0.12","v8.0.11","v8.0.10","v8.0.8","v8.0.7","v8.0.5","v8.0.4","v8.0.3","v8.0.2","v8.0.1","v8.0.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26130.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}