CVE-2026-26127: .NET Denial of Service via Base64Url Out-of-Bounds Read

CVE-2026-26127 is a high-severity Denial of Service (DoS) vulnerability affecting .NET 9.0, .NET 10.0, and the standalone Microsoft.Bcl.Memory NuGet package. The flaw resides in the Base64Url decoding implementation, which was introduced to provide high-performance encoding and decoding compliant with RFC 4648. Applications that parse external Base64Url data are vulnerable to abrupt termination.

The attack surface for this vulnerability is broad, encompassing any network-facing service that processes user-controlled Base64Url strings. Common implementations include JSON Web Token (JWT) validation, OAuth token parsing, and web-safe data transport mechanisms. An attacker does not require authentication to reach these code paths in a standard web API architecture.

When a vulnerable endpoint receives a malformed payload, the underlying parsing logic fails to safely handle the input boundaries. This results in an out-of-bounds memory read. The operating system or the .NET runtime detects the invalid memory access, causing the host process to crash and completely denying service to legitimate users.

The vulnerability is classified primarily as CWE-125 (Out-of-bounds Read) and secondarily as CWE-129 (Improper Validation of Array Index). The core issue stems from insufficient bounds checking within the Base64Url.Decode method and its associated variants. The logic fails to account for specific malformed input lengths and unexpected character offsets.

During the decoding process, the algorithm relies on internal index calculations to map Base64Url characters back to their original byte representations. When the input string is improperly formatted, these mathematical operations yield offsets that exceed the allocated bounds of the source or destination buffers. The runtime then attempts to read data from unallocated or protected memory regions.

The high-performance nature of this decoding logic involves low-level intrinsics and unsafe code blocks to bypass standard managed memory safeguards. Because the managed boundary is intentionally bypassed for speed, the standard .NET array bounds checks do not intervene prior to the illegal memory access. This results in a raw memory violation rather than a gracefully caught exception.

Depending on the exact execution environment, the out-of-bounds read manifests as either a System.IndexOutOfRangeException that goes unhandled on a critical thread, or a hard access violation at the operating system level. Both conditions force the immediate shutdown of the .NET process, validating the Denial of Service condition.

The introduction of the Microsoft.Bcl.Memory high-performance Base64Url decoder in .NET 9.0 relied heavily on unsafe pointer arithmetic and SIMD (Single Instruction, Multiple Data) instructions. The vulnerability exists where the pointer advances through the input buffer without strictly validating the remaining length against the required block size for decoding.

// Conceptual Vulnerable Code Snippet
public static OperationStatus DecodeFromUtf8(ReadOnlySpan<byte> utf8, Span<byte> bytes, out int bytesConsumed, out int bytesWritten)
{
    fixed (byte* src = &MemoryMarshal.GetReference(utf8))
    fixed (byte* dst = &MemoryMarshal.GetReference(bytes))
    {
        // Missing rigorous length validation before vector processing
        int index = 0;
        while (index < utf8.Length)
        {
            // Out-of-bounds read occurs here if utf8.Length is malformed
            Vector256<byte> data = Vector256.Load(src + index);
            // ... processing logic ...
        }
    }
}

The patch addresses this by enforcing strict bounds validation before any pointer arithmetic or SIMD vector loading occurs. The logic now explicitly calculates the maximum safe read boundary and falls back to scalar processing for the remainder of the buffer, ensuring no reads occur beyond the utf8.Length.

// Conceptual Patched Code Snippet
public static OperationStatus DecodeFromUtf8(ReadOnlySpan<byte> utf8, Span<byte> bytes, out int bytesConsumed, out int bytesWritten)
{
    fixed (byte* src = &MemoryMarshal.GetReference(utf8))
    fixed (byte* dst = &MemoryMarshal.GetReference(bytes))
    {
        int index = 0;
        // Added strict boundary calculation
        int maxSafeIndex = utf8.Length - Vector256<byte>.Count;
        
        while (index <= maxSafeIndex)
        {
            Vector256<byte> data = Vector256.Load(src + index);
            // ... processing logic ...
        }
        // Safe scalar fallback for remaining bytes
    }
}

This fix is assessed to be complete. By constraining the SIMD vector loads to a mathematically proven safe index and processing the remainder safely, the code path eliminates the possibility of reading past the buffer. Variant attacks leveraging different malformed structures will fail because the maximum read index is strictly enforced.

Exploitation of CVE-2026-26127 requires minimal effort and no specialized network position. An attacker identifies a target endpoint that processes Base64Url data, such as a login route accepting a JWT, or an API accepting file uploads encoded in Base64Url. The attacker then constructs a crafted HTTP request containing a payload designed to trigger the out-of-bounds calculation.

Upon processing the request, the application passes the payload to the vulnerable Microsoft.Bcl.Memory decoding function. The out-of-bounds read is triggered immediately. Because the vulnerability exists at the runtime level and involves unsafe memory access, the entire process terminates. This results in the loss of all active user sessions and a complete cessation of application functionality.

The vulnerability carries a CVSS v3.1 base score of 7.5 (High), accurately reflecting its unauthenticated, remote nature and its severe impact on availability (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). Although the CWE-125 class maps to MITRE ATT&CK T1005 (Data from Local System) due to the theoretical risk of data leakage via out-of-bounds reads, the practical and documented impact for this specific flaw is strictly Denial of Service.

There is currently no evidence of wild exploitation, and the EPSS score is extremely low (0.00041). However, the public disclosure of the vulnerability mechanics means threat actors possess the necessary technical context to develop functional Denial of Service tools against unpatched systems.

Immediate patching is the only definitive remediation for CVE-2026-26127. Organizations running .NET 10.0 must update their runtimes and SDKs to version 10.0.4. Organizations running .NET 9.0 must update to version 9.0.14. These updates contain the modified CoreCLR and framework libraries that enforce proper bounds checking during Base64Url decoding.

Applications relying on the standalone Microsoft.Bcl.Memory NuGet package must explicitly update their package references. Developers should execute dotnet add package Microsoft.Bcl.Memory --version 9.0.14 (or 10.0.4 as appropriate) to pull the patched dependency. Crucially, applications must be fully recompiled and redeployed after this package update to ensure the vulnerable binaries are replaced in production environments.

In scenarios where immediate patching is not possible, organizations can implement active monitoring to detect exploitation attempts. Security teams should configure application telemetry and APM tools to alert on unexpected System.IndexOutOfRangeException or AccessViolationException events. A sudden spike in these exceptions strongly indicates a Denial of Service attack leveraging this vulnerability.

Additionally, security engineers should audit application codebases to identify all endpoints that process Base64Url data. Understanding the exposure of JWT handlers, OAuth endpoints, and custom deserialization logic will assist in prioritizing the deployment of the patched runtimes to the most critical infrastructure first.