CVE-2026-26171: Denial of Service in .NET System.Security.Cryptography.Xml

The vulnerability tracked as CVE-2026-26171 affects the .NET framework's System.Security.Cryptography.Xml.EncryptedXml class. This component is widely utilized by applications to decrypt XML data, such as SOAP web services, SAML-based identity providers, and custom XML processing pipelines. The core issue arises from the framework's default behavior regarding XML External Entity (XXE) processing and recursion tracking during the decryption phase.

The vulnerability manifests as a Denial of Service (DoS) condition. It is categorized under CWE-400 (Uncontrolled Resource Consumption) and CWE-611 (Improper Restriction of XML External Entity Reference). When the .NET framework processes maliciously crafted encrypted XML elements, it fails to enforce safe boundaries on resource allocation, computation time, and network operations.

An unauthenticated remote attacker can exploit this flaw by submitting specifically constructed XML documents to an exposed endpoint. Because the vulnerability resides in the decryption parsing phase, the attack payload triggers before application-level authentication or validation logic typically executes. The resulting impact includes CPU and memory exhaustion, or complete exhaustion of the application thread pool.

Applications exposing XML processing endpoints to untrusted networks are at the highest risk. The vulnerability requires low attack complexity and no user interaction, making it highly reliable for causing service unavailability across multiple versions of the .NET framework.

The root cause of CVE-2026-26171 spans multiple distinct deficiencies within the XML processing stack. The first mechanism involves recursive entity expansion, commonly known as a Billion Laughs attack. Historically, the EncryptedXml class utilized an internal XmlDocument or XmlReader instance that was not explicitly configured to prohibit Document Type Definition (DTD) processing. This oversight allowed parsers to continuously resolve deeply nested entity declarations, leading to exponential memory allocation during the decryption routine.

The second mechanism centers on uncontrolled decryption recursion. The implementation lacked structural depth tracking for nested EncryptedData or EncryptedKey elements. An attacker could construct an XML document containing thousands of nested encryption tags. When the EncryptedXml class attempted to parse and hydrate the object model, the unbounded recursive calls exhausted the process call stack or consumed excessive heap memory.

The third mechanism involves unsafe transform execution within the XML Encryption specification. The standard allows the use of Transforms (such as XSLT or XPath) via the CipherReference element. The .NET implementation permitted these complex transforms by default. Malicious payloads could embed computationally expensive XPath queries or XSLT templates containing infinite loops, effectively tying up worker threads indefinitely.

Finally, the framework exhibited network-based blocking behavior. When processing a CipherReference or URI-based KeyInfo, the internal XmlResolver attempted to resolve Universal Naming Convention (UNC) paths. An attacker could direct the resolver to a remote attacker-controlled SMB share or an unresponsive local endpoint. The synchronous wait time on the Windows SMB stack blocked the associated worker thread, eventually leading to thread pool starvation across the application.

The patch for CVE-2026-26171 fundamentally alters the default security posture of the EncryptedXml class. Prior to the fix, the internal XML parsers instantiated by the cryptographic classes inherited insecure default settings. The core of the remediation involved hardening the XmlReaderSettings used during the initialization of internal parsing routines.

// VULNERABLE CODE PATTERN (Pre-patch)
XmlReaderSettings settings = new XmlReaderSettings();
settings.XmlResolver = new XmlUrlResolver(); // Permitted UNC path resolution
// DtdProcessing defaulted to Parse in older contexts, or lacked explicit prohibition
 
// PATCHED CODE PATTERN
XmlReaderSettings settings = new XmlReaderSettings();
settings.DtdProcessing = DtdProcessing.Prohibit;
settings.XmlResolver = null; // Disables external resolution
settings.MaxCharactersFromEntities = 0;

Beyond basic parser settings, the update introduced explicit recursion limits within the CanonicalizationDispatcher and related decryption classes. The runtime now utilizes a thread-static counter to monitor structural depth. A new property, DangerousMaxRecursionDepth, was implemented with a strict default limit of 64. If an XML document exceeds this nesting depth, the framework aborts processing and throws a CryptographicException.

The patch also addressed the unsafe transform vector by restricting the permissible transform algorithms by default. The EncryptedXml class now actively filters out high-risk transforms like XSLT. To maintain backward compatibility for applications relying on these legacy features, Microsoft introduced an AppContext switch named System.Security.Cryptography.Xml.AllowDangerousEncryptedXmlTransforms, allowing developers to opt-in to the previous, insecure behavior if strictly required.

Exploiting this vulnerability requires minimal prerequisites. The attacker only needs network access to an application endpoint that accepts and parses XML data using the vulnerable .NET cryptographic classes. No prior authentication or specialized network positioning is necessary, making this a prime candidate for blind remote attacks against external-facing web services.

The attack begins with payload construction. The attacker generates an XML file that leverages one of the identified vectors. For a thread exhaustion attack via SMB, the payload embeds a CipherReference pointing to a fabricated UNC path. When the server begins processing the payload, the underlying network I/O subsystem blocks while attempting to authenticate or connect to the unresponsive share.

If the attacker chooses the algorithmic complexity route, they embed an XSLT payload containing a recursive template or a deeply nested structure of EncryptedData nodes. Upon submission, the .NET runtime allocates system resources to process the structure. Because the operations block synchronously, concurrent requests containing the payload will rapidly consume all available worker threads, leading to HTTP 503 Service Unavailable responses for legitimate users.

The concrete security impact of CVE-2026-26171 is limited to Availability. The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H reflects this, producing a base score of 7.5. An attacker cannot leverage this vulnerability to execute arbitrary code, escalate privileges, or extract sensitive data from the host system.

Despite the lack of confidentiality or integrity impact, the severity remains high due to the ease of triggering widespread service disruption. In microservice architectures, a thread pool exhaustion event in one critical authentication service (such as a SAML Identity Provider) can cause cascading failures across dependent downstream services. The application process will typically become entirely unresponsive, requiring an administrative restart to recover.

The EPSS score of 0.00589 (0.59%) indicates a relatively low probability of widespread exploitation in the wild within the near term. This low score is typical for DoS vulnerabilities, which often lack the financial incentives associated with Remote Code Execution or ransomware deployment. However, the threat model for critical infrastructure or highly available public services must still prioritize remediation to maintain Service Level Agreements (SLAs).

The primary and most effective remediation strategy is to apply the official patches provided by Microsoft. Administrators and developers must update their .NET runtimes and SDKs to the fixed versions: .NET 8.0.26, .NET 9.0.15, or .NET 10.0.6. Applying the patch enforces the hardened parser settings, recursion limits, and unsafe transform prohibitions by default without requiring code changes in consuming applications.

In environments where immediate patching is not technically feasible, developers should review custom XML parsing logic. Ensure that any XmlReader or XmlDocument instances passed into cryptographic classes explicitly set DtdProcessing to Prohibit and assign XmlResolver to null. This manual hardening prevents the XXE and UNC path resolution vectors, though it does not fully mitigate the internal recursion flaws within EncryptedXml.

If legacy application behavior breaks after applying the patch, developers can temporarily use the introduced AppContext switches to revert specific protections. Setting System.Security.Cryptography.Xml.DangerousMaxRecursionDepth to a higher integer or enabling System.Security.Cryptography.Xml.AllowDangerousEncryptedXmlTransforms restores legacy functionality. These switches should be used strictly as temporary workarounds until the application payload structures can be modernized.