CVE-2026-42899: Denial of Service via Infinite Loops in ASP.NET Core Subsystems

CVE-2026-42899 manifests as a severe Denial of Service (DoS) condition affecting multiple versions of the .NET runtime and the ASP.NET Core framework. The vulnerability is formally classified as a Loop with Unreachable Exit Condition (CWE-835). Remote attackers can exploit this flaw without authentication by submitting specifically crafted network payloads that cause the server process to enter an infinite loop.

The architectural consequence of this vulnerability is complete worker thread exhaustion. When the targeted component enters the looping state, it continuously consumes CPU cycles without processing subsequent network traffic or relinquishing thread execution. This behavior rapidly forces the host CPU utilization to 100%, causing the application to become unresponsive to all benign user requests and resulting in localized service unavailability.

The flaw is systemic rather than isolated, originating from discrete logic errors across several core framework components. Vulnerable subsystems include the ManagedAuthenticatedEncryptor within Data Protection, the RequestDelegateFactory used by Minimal APIs, Kestrel's HTTP/2 frame stream processing, and the HybridCache stampede protection mechanisms. This broad attack surface provides attackers with multiple distinct entry points to achieve the same denial of service condition.

The fundamental cause of the vulnerability spans multiple discrete logic errors where error conditions or stream transitions fail to advance process state. In the Data Protection component, ManagedAuthenticatedEncryptor.CalculateAndValidateMac contained an offset calculation error. The validation algorithm incorrectly hashed the memory range containing the MAC itself, rather than the data payload (IV and Ciphertext) it was supposed to protect. This deterministic failure resulted in a CryptographicException on every validation attempt.

When this CryptographicException triggered within certain stream processing or cookie parsing loops, the exception handler caught the error but failed to increment the stream pointer. The loop immediately re-evaluated the exact same un-incremented memory segment, throwing the exception again. This sequence created an unbroken execution cycle that consumed the executing thread indefinitely.

In the Minimal API implementation, the RequestDelegateFactory improperly evaluated pipeline readiness during parameter binding failures. The logic checked FilterFactories.Count > 0 to bypass an early HTTP 400 Bad Request return. If a filter factory was registered but the subsequent execution pipeline remained unbuilt or null, the execution path became undefined. The application bypassed the failure exit node but lacked a valid continuation path, trapping the request binding process in an infinite execution loop.

Additional subsystems exhibited similar state management flaws. The HybridCache library failed to clear waiter structures or transition state machines when background fetch operations failed. Similarly, HttpSys and Kestrel HTTP/2 response streaming components failed to decrement remaining byte counts or advance buffer pointers when native Windows HTTP APIs or internal functions returned zero processed bytes upon encountering application-layer errors.

The mitigation for the Data Protection component addresses the improper boundary calculation that guaranteed MAC validation failure. The original implementation calculated the hash over the incorrect memory span, starting at the macOffset and ending at the eofOffset. The patched code correctly calculates the hash beginning at the ivOffset and spanning the length of the data payload.

// File: src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs
// VULNERABLE CODE:
- correctHashArray = validationAlgorithm.ComputeHash(payloadArray, macOffset, eofOffset - macOffset);
 
// PATCHED CODE:
+ correctHash = validationAlgorithm.ComputeHash(payloadArray, ivOffset, macOffset - ivOffset);

The Data Protection patch also resolves an underlying variable assignment issue where the correctHash buffer, implemented as a Span<byte>, failed to correctly reference heap-allocated memory during scope transitions. By correcting the hash calculation input and enforcing strict pointer advancements upon validation failure, the framework guarantees the loop exit condition.

For Minimal APIs, the patch shifts the validation logic from checking static collection counts to checking actual compilation state. The RequestDelegateFactory now utilizes a discrete boolean variable to confirm pipeline initialization.

// File: src/Http/Http.Extensions/src/RequestDelegateFactory.cs
// VULNERABLE CODE:
- if (factoryContext.EndpointBuilder.FilterFactories.Count > 0)
 
// PATCHED CODE:
+ if (filterPipelineBuilt)

This modification ensures that parameter binding failures only bypass the immediate 400 Bad Request return if a fully constructed filter pipeline exists to receive and process the error context. These modifications eliminate the specific execution conditions required to sustain the looping behavior.

Exploitation requires no authentication and relies solely on the submission of intentionally malformed network requests. To target the Minimal API implementation, an attacker identifies an endpoint utilizing request filters. The attacker then submits a request containing structurally invalid parameters, such as supplying a non-alphanumeric string to a route expecting a valid GUID format. This forces the parameter binder to fail and triggers the unhandled execution path logic.

The Data Protection attack vector focuses on application payloads that require cryptographic validation, such as session cookies or anti-forgery tokens. The attacker captures a valid payload, alters the appended MAC bytes, and resubmits the request. When the server attempts to parse the payload, the altered MAC triggers the calculation failure, initializing the CryptographicException loop and stalling the worker process.

Attackers targeting the Kestrel HTTP/2 implementation operate at the protocol layer. The attack involves establishing an HTTP/2 connection and rapidly transmitting a HEADERS frame followed immediately by an invalid data sequence that forces an application-tier failure. The subsequent application exception triggers a RST_STREAM action that fails to clear the pending data buffer, causing Kestrel's frame reader to continuously attempt read operations against the stale memory segment.

A successful attack structurally compromises the availability of the application layer. Worker threads consumed by the infinite loop are incapable of servicing new or existing network requests. Because this vulnerability affects Kestrel and core pipeline components directly, an attacker sending a low volume of targeted requests can systematically exhaust the entire application pool thread allocation, completely halting web service operations.

The CVSS v3.1 base score of 7.5 accurately captures the high severity of the availability impact, combined with the lack of authentication requirements and low attack complexity. Network placement does not mitigate the vulnerability; applications deployed behind reverse proxies or load balancers remain vulnerable because the proxies pass the malformed application-layer data directly to the vulnerable backend Kestrel processes.

Despite the severe technical impact, the EPSS score currently sits at 0.00047 (0.05%), indicating a negligible observed probability of active exploitation in the wild. The absence of public proof-of-concept exploits and the specificity required to trigger the precise conditions in customized application pipelines currently limit widespread automated exploitation. However, the exact technical documentation provided in the patch diffs enables competent adversaries to reverse-engineer functioning exploits rapidly.

Organizations must upgrade their .NET runtime and ASP.NET Core framework installations to the latest patched releases. The official remediated versions are .NET 8.0.27, .NET 9.0.16, and .NET 10.0.8. Application binaries built as self-contained deployments must be recompiled using the updated SDK to incorporate the patched framework libraries.

Applications utilizing JavaScript interop functionality, particularly Blazor WebAssembly or Single Page Applications, require dependency updates. Developers must ensure the package lodash is updated to version 4.18.0 or greater, and serialize-javascript is updated to version 7.0.5 or greater. These updates address the tracking failures in StreamingInterop.ts that contribute to client-server stream desynchronization.

Where immediate patching is operationally impossible, security teams should implement strict Web Application Firewall (WAF) policies. WAF rules must validate request parameters, dropping structurally anomalous payloads before they reach the Minimal API router. Rate-limiting concurrent connections and enforcing strict timeouts on payload processing provides partial mitigation against the caching and stream-based vectors by terminating long-running connections forcefully.