ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-32177 — Heap Buffer Overflow in .NET Enables Local Privilege Escalation

A short review of CVE-2026-32177, a heap-based buffer overflow in the .NET runtime that allows local privilege escalation. This post covers the technical details, affected versions across .NET, .NET Framework, and Visual Studio, and the patch information released in Microsoft's May 2026 Patch Tuesday.

CVE Analysis

7 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-12

Brief Summary: CVE-2026-32177 — Heap Buffer Overflow in .NET Enables Local Privilege Escalation
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A heap based buffer overflow in the .NET runtime, patched in Microsoft's May 2026 Patch Tuesday, allows a local attacker with no prior privileges to escalate their access on a target system. With a CVSS 3.1 score of 7.3 and an attack surface spanning .NET 8 through 10, legacy .NET Framework installations, and multiple Visual Studio versions, this vulnerability touches a significant portion of Windows developer and server environments.

Microsoft has confirmed there are no workarounds or mitigations available; the only remediation is applying the official patches. The good news: there is currently no evidence of active exploitation, and exploit code maturity is classified as Unproven.

Technical Information

Root Cause

CVE-2026-32177 is rooted in two interrelated weaknesses within the .NET runtime's native layer:

  1. Improper Input Validation (CWE-20): The runtime fails to properly validate certain input before processing it, allowing specially crafted data to reach internal memory management routines without adequate bounds checking.
  2. Heap Based Buffer Overflow (CWE-122): Due to the missing validation, an attacker can trigger a condition where data is written beyond the boundaries of a heap allocated buffer. This corrupts adjacent heap metadata or objects, which can be leveraged to gain elevated privileges.

Because the .NET runtime is closed source at the native level where heap management occurs, no public source code diff is available for the underlying fix. However, the nature of the patch is clear from the CWE mappings: the update introduces stricter input validation to prevent the heap based buffer overflow condition from being triggered in the first place.

Attack Vector and Exploitation Flow

The CVSS vector string is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L, which tells us several important things about how exploitation works:

  1. Local access required (AV:L): The vulnerable component is not exposed over the network. An attacker needs local access to the target system, whether through physical console access or a remote session via SSH or RDP.

  2. No privileges required (PR:N): The attacker does not need an existing account or any prior authorization on the system to trigger the vulnerability.

  3. User interaction required (UI:R): Exploitation depends on a legitimate user performing an action. This could involve opening a malicious document, running a crafted application, or otherwise triggering the vulnerable code path within the .NET runtime.

  4. Low attack complexity (AC:L): There are no specialized conditions or race windows required. Once the attacker can deliver the malicious input and a user interacts with it, exploitation is repeatable and reliable.

Impact

Successful exploitation results in:

  • High confidentiality impact: The attacker can view sensitive information, including credentials of other users on the system.
  • High integrity impact: The attacker can make unauthorized modifications to file contents on the target server.
  • Low availability impact: The application may crash, but system wide denial of service is not the primary outcome.

The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component's security authority and does not cascade into other components.

Patch Information

Microsoft released official patches for CVE-2026-32177 on May 12, 2026, as part of its regular Patch Tuesday cycle. Because no workarounds exist, applying these updates is the sole remediation path.

Modern .NET Runtime

For modern .NET, Microsoft shipped updated runtimes that correct the buffer overflow:

.NET BranchFixed Version
.NET 10.010.0.8
.NET 9.09.0.16
.NET 8.08.0.27

Developers consuming .NET via NuGet or the SDK can update to the corresponding SDK versions (e.g., SDK 9.0.314 or 9.0.117 for .NET 9.0, or SDK 8.0.421 or 8.0.127 for .NET 8.0). Updated Docker container images on mcr.microsoft.com are also available for all three branches.

Legacy .NET Framework

The vulnerability affects .NET Framework versions 3.5, 4.6.2, 4.7, 4.7.2, 4.8, and 4.8.1. Fixed build versions are 4.8.9334.0 and 4.8.4802.0 depending on the specific framework branch. These are delivered through cumulative updates, including:

KB ArticleCoverage
KB5088863.NET Framework 3.5, 4.8, and 4.8.1 for Windows 10 Version 22H2
KB5088862.NET Framework 3.5, 4.8, and 4.8.1 for Windows Server 2022
KB5087064.NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 / 22H2
KB5087053.NET Framework 3.5 and 4.8.1 for Windows 10 Version 21H2 / 22H2
KB5087068.NET Framework 3.5 and 4.8 for Windows Server 2022
KB5087059.NET Framework 3.5 and 4.8.1 for Windows Server 2022

Visual Studio

Visual Studio received coordinated patches since it bundles the .NET runtime:

Visual Studio VersionFixed Build
VS 2017 (15.9.x)15.9.80
VS 2019 (16.11.x)16.11.56
VS 2022 (17.12.x)17.12.20
VS 2022 (17.14.x)17.14.31
VS 2025 (18.5.x)18.5.3

Deployment Channels

All patches are available through Windows Update and Windows Update for Business. Standalone packages can be obtained from the Microsoft Update Catalog. Enterprise administrators can deploy them via WSUS by targeting the appropriate product classifications. For .NET (non Framework) applications, developers should update via dotnet-install scripts or by targeting the fixed SDK/runtime version in their project configurations.

Affected Systems and Versions

The vulnerability spans a broad set of products and versions:

Modern .NET (versions prior to the fix):

  • .NET 10.0 (versions before 10.0.8)
  • .NET 9.0 (versions before 9.0.16)
  • .NET 8.0 (versions before 8.0.27)

Legacy .NET Framework:

  • .NET Framework 3.5
  • .NET Framework 4.6.2
  • .NET Framework 4.7
  • .NET Framework 4.7.2
  • .NET Framework 4.8 (versions before build 4.8.4802.0)
  • .NET Framework 4.8.1 (versions before build 4.8.9334.0)

These .NET Framework versions are affected across Windows Server and Windows client operating systems, including Windows 10 Version 21H2, Windows 10 Version 22H2, and Windows Server 2022.

Visual Studio:

  • Visual Studio 2017 (15.9.x, versions before 15.9.80)
  • Visual Studio 2019 (16.11.x, versions before 16.11.56)
  • Visual Studio 2022 (17.12.x, versions before 17.12.20)
  • Visual Studio 2022 (17.14.x, versions before 17.14.31)
  • Visual Studio 2025 (18.5.x, versions before 18.5.3)

Vendor Security History

Microsoft maintains a mature and highly structured security response program through the Microsoft Security Response Center (MSRC). MSRC investigates vulnerabilities, coordinates disclosures, and releases security updates on the second Tuesday of each month. The company actively engages with external security researchers through bug bounty programs that have awarded more than $60 million since 2013. The May 2026 Patch Tuesday cycle in which this vulnerability was addressed covered 120 vulnerabilities total, with no zero days reported as exploited in the wild.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization