CVE-2026-33116: Denial of Service via XML Encryption Circular References in .NET

CVE-2026-33116 resides in the System.Security.Cryptography.Xml namespace within the .NET runtime and .NET Framework. The vulnerability manifests as an infinite loop condition, classified under CWE-835 (Loop with Unreachable Exit Condition) and CWE-400 (Uncontrolled Resource Consumption).

The affected component is responsible for parsing and processing XML Encrypted data, specifically handling elements such as EncryptedData, EncryptedKey, and CipherReference. This component is widely utilized in applications that process SAML assertions, SOAP messages, and custom XML-based web services.

The flaw occurs because the library fails to properly handle circular references or excessive nesting during the decryption process. An unauthenticated attacker can exploit this weakness by submitting a specially crafted XML document over the network, resulting in 100% CPU exhaustion on the processing thread and leading to a severe Denial of Service (DoS) condition.

The root cause lies in the EncryptedXml class and its internal URI resolution logic. In the XML Encryption (XMLEnc) specification, elements can utilize CipherReference or RetrievalMethod attributes to point to other document fragments via URIs, typically using fragment identifiers like #ID.

When EncryptedXml.DecryptDocument or DecryptElement is invoked, the internal GetIdElement method attempts to resolve these URIs to locate the corresponding decryption key or payload. Prior to the patch, this resolution mechanism lacked any form of cycle detection. The parser did not record which fragment IDs had already been visited within a single decryption execution context.

Furthermore, the implementation lacked bounds checking on the recursion depth. An attacker can construct a payload where Element A's CipherReference points to Element B, and Element B points back to Element A. When the parser encounters this structure, it enters an unbounded recursive call chain or an infinite while loop, completely consuming the thread's execution cycles.

Analysis of the vulnerable code reveals that URI resolution for CipherReference elements blindly followed target IDs. The absence of state tracking across the recursive decryption operations allowed execution to loop indefinitely between mutually referencing nodes.

The remediation, introduced in commit b234b9ae5980f21c499ae0702b098d9898ec786f, adds depth tracking to the parsing engine. The developers introduced a [ThreadStatic] integer variable named t_depth to monitor the recursion level across the current thread.

[ThreadStatic]
private static int t_depth;
 
internal static void IncrementLoadXmlCurrentThreadDepth() {
    int maxDepth = LocalAppContextSwitches.DangerousMaxRecursionDepth;
    if (maxDepth > 0 && t_depth > maxDepth) {
        throw new CryptographicException("The XML element has exceeded the maximum nesting depth allowed for decryption.");
    }
    t_depth++;
}

The IncrementLoadXmlCurrentThreadDepth method is now called during reference resolution. If the depth exceeds the newly established DangerousMaxRecursionDepth (defaulting to 64), a CryptographicException is thrown, successfully breaking the cycle. Additionally, the patch opts out of potentially dangerous XML transforms by setting AllowDangerousEncryptedXmlTransforms to false by default.

Exploitation of CVE-2026-33116 requires the target application to accept untrusted XML input and process it using the System.Security.Cryptography.Xml library. No prior authentication is required, and the attacker does not need elevated network positioning beyond access to the vulnerable endpoint.

The attacker crafts a malicious XML document containing interconnected EncryptedData nodes. The structure relies on creating a circular dependency using the CipherReference element.

<Root>
  <EncryptedData Id="A" xmlns="http://www.w3.org/2001/04/xmlenc#">
    <CipherData><CipherReference URI="#B"/></CipherData>
  </EncryptedData>
  <EncryptedData Id="B" xmlns="http://www.w3.org/2001/04/xmlenc#">
    <CipherData><CipherReference URI="#A"/></CipherData>
  </EncryptedData>
</Root>

When the malicious payload is transmitted to a vulnerable service, the application invokes the decryption routine. The engine attempts to resolve #B, which instructs it to resolve #A, triggering the continuous loop until the application crashes or hangs.

The primary impact of CVE-2026-33116 is a high-severity Denial of Service. Successful exploitation directly leads to thread exhaustion, causing the affected application to stop processing legitimate requests and potentially leading to a complete service outage.

The vulnerability carries a CVSS v3.1 base score of 7.5, reflected in the vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. This score underscores the low attack complexity and the fact that an unauthenticated attacker can execute the attack remotely over the network.

While the flaw strictly affects availability without direct impact on data confidentiality or integrity, the operational consequences are significant. Web services relying on SAML or SOAP can be persistently disabled by repeated submission of the crafted payload, requiring manual restarts if the process fails to recover from the resource exhaustion.

The definitive remediation for CVE-2026-33116 is applying the official April 2026 security updates provided by Microsoft. Administrators must upgrade .NET 10.0 to version 10.0.6, .NET 9.0 to version 9.0.15, and .NET 8.0 to version 8.0.26.

For systems running older framework versions, specific patches must be applied. .NET Framework 4.8 and 4.8.1 require updates corresponding to build numbers 4.8.4801.0 and 4.8.9332.0, respectively, as detailed in the Microsoft Security Response Center (MSRC) advisory.

In environments where immediate patching is infeasible, temporary mitigation can be achieved by utilizing application configuration switches. Operators can explicitly configure System.Security.Cryptography.Xml.DangerousMaxRecursionDepth via AppContext to enforce strict parsing limits, though this requires running a runtime version that supports these configuration keys.