CVE-2026-33116

HIGH7.5EPSS 8.0%

.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

Published: 4/14/2026Modified: 5/7/2026

Also known as:GHSA-37gx-xxp4-5rgxBIT-dotnet-2026-33116BIT-dotnet-sdk-2026-33116

Description

Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny service over a network.

Affected packages (3)

Bitnami/dotnet>= 8.0.0, < 8.0.26, >= 9.0.0, < 9.0.15, >= 10.0.0, < 10.0.6
Bitnami/dotnet-sdk>= 8.0.0, < 8.0.26, >= 9.0.0, < 9.0.15, >= 10.0.0, < 10.0.6
NuGet/System.Security.Cryptography.Xml>= 10.0.0, < 10.0.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-33116
PATCHhttps://github.com/dotnet/runtime
WEBhttps://github.com/dotnet/announcements/issues/392
WEBhttps://github.com/dotnet/runtime/security/advisories/GHSA-37gx-xxp4-5rgx
WEBhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33116