Introduction
A heap based buffer overflow in the .NET runtime, patched in Microsoft's May 2026 Patch Tuesday, allows a local attacker with no prior privileges to escalate their access on a target system. With a CVSS 3.1 score of 7.3 and an attack surface spanning .NET 8 through 10, legacy .NET Framework installations, and multiple Visual Studio versions, this vulnerability touches a significant portion of Windows developer and server environments.
Microsoft has confirmed there are no workarounds or mitigations available; the only remediation is applying the official patches. The good news: there is currently no evidence of active exploitation, and exploit code maturity is classified as Unproven.
Technical Information
Root Cause
CVE-2026-32177 is rooted in two interrelated weaknesses within the .NET runtime's native layer:
- Improper Input Validation (CWE-20): The runtime fails to properly validate certain input before processing it, allowing specially crafted data to reach internal memory management routines without adequate bounds checking.
- Heap Based Buffer Overflow (CWE-122): Due to the missing validation, an attacker can trigger a condition where data is written beyond the boundaries of a heap allocated buffer. This corrupts adjacent heap metadata or objects, which can be leveraged to gain elevated privileges.
Because the .NET runtime is closed source at the native level where heap management occurs, no public source code diff is available for the underlying fix. However, the nature of the patch is clear from the CWE mappings: the update introduces stricter input validation to prevent the heap based buffer overflow condition from being triggered in the first place.
Attack Vector and Exploitation Flow
The CVSS vector string is AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L, which tells us several important things about how exploitation works:
-
Local access required (AV:L): The vulnerable component is not exposed over the network. An attacker needs local access to the target system, whether through physical console access or a remote session via SSH or RDP.
-
No privileges required (PR:N): The attacker does not need an existing account or any prior authorization on the system to trigger the vulnerability.
-
User interaction required (UI:R): Exploitation depends on a legitimate user performing an action. This could involve opening a malicious document, running a crafted application, or otherwise triggering the vulnerable code path within the .NET runtime.
-
Low attack complexity (AC:L): There are no specialized conditions or race windows required. Once the attacker can deliver the malicious input and a user interacts with it, exploitation is repeatable and reliable.
Impact
Successful exploitation results in:
- High confidentiality impact: The attacker can view sensitive information, including credentials of other users on the system.
- High integrity impact: The attacker can make unauthorized modifications to file contents on the target server.
- Low availability impact: The application may crash, but system wide denial of service is not the primary outcome.
The scope is unchanged (S:U), meaning the impact is confined to the vulnerable component's security authority and does not cascade into other components.
Patch Information
Microsoft released official patches for CVE-2026-32177 on May 12, 2026, as part of its regular Patch Tuesday cycle. Because no workarounds exist, applying these updates is the sole remediation path.
Modern .NET Runtime
For modern .NET, Microsoft shipped updated runtimes that correct the buffer overflow:
| .NET Branch | Fixed Version |
|---|---|
| .NET 10.0 | 10.0.8 |
| .NET 9.0 | 9.0.16 |
| .NET 8.0 | 8.0.27 |
Developers consuming .NET via NuGet or the SDK can update to the corresponding SDK versions (e.g., SDK 9.0.314 or 9.0.117 for .NET 9.0, or SDK 8.0.421 or 8.0.127 for .NET 8.0). Updated Docker container images on mcr.microsoft.com are also available for all three branches.
Legacy .NET Framework
The vulnerability affects .NET Framework versions 3.5, 4.6.2, 4.7, 4.7.2, 4.8, and 4.8.1. Fixed build versions are 4.8.9334.0 and 4.8.4802.0 depending on the specific framework branch. These are delivered through cumulative updates, including:
| KB Article | Coverage |
|---|---|
| KB5088863 | .NET Framework 3.5, 4.8, and 4.8.1 for Windows 10 Version 22H2 |
| KB5088862 | .NET Framework 3.5, 4.8, and 4.8.1 for Windows Server 2022 |
| KB5087064 | .NET Framework 3.5 and 4.8 for Windows 10 Version 21H2 / 22H2 |
| KB5087053 | .NET Framework 3.5 and 4.8.1 for Windows 10 Version 21H2 / 22H2 |
| KB5087068 | .NET Framework 3.5 and 4.8 for Windows Server 2022 |
| KB5087059 | .NET Framework 3.5 and 4.8.1 for Windows Server 2022 |
Visual Studio
Visual Studio received coordinated patches since it bundles the .NET runtime:
| Visual Studio Version | Fixed Build |
|---|---|
| VS 2017 (15.9.x) | 15.9.80 |
| VS 2019 (16.11.x) | 16.11.56 |
| VS 2022 (17.12.x) | 17.12.20 |
| VS 2022 (17.14.x) | 17.14.31 |
| VS 2025 (18.5.x) | 18.5.3 |
Deployment Channels
All patches are available through Windows Update and Windows Update for Business. Standalone packages can be obtained from the Microsoft Update Catalog. Enterprise administrators can deploy them via WSUS by targeting the appropriate product classifications. For .NET (non Framework) applications, developers should update via dotnet-install scripts or by targeting the fixed SDK/runtime version in their project configurations.
Affected Systems and Versions
The vulnerability spans a broad set of products and versions:
Modern .NET (versions prior to the fix):
- .NET 10.0 (versions before 10.0.8)
- .NET 9.0 (versions before 9.0.16)
- .NET 8.0 (versions before 8.0.27)
Legacy .NET Framework:
- .NET Framework 3.5
- .NET Framework 4.6.2
- .NET Framework 4.7
- .NET Framework 4.7.2
- .NET Framework 4.8 (versions before build 4.8.4802.0)
- .NET Framework 4.8.1 (versions before build 4.8.9334.0)
These .NET Framework versions are affected across Windows Server and Windows client operating systems, including Windows 10 Version 21H2, Windows 10 Version 22H2, and Windows Server 2022.
Visual Studio:
- Visual Studio 2017 (15.9.x, versions before 15.9.80)
- Visual Studio 2019 (16.11.x, versions before 16.11.56)
- Visual Studio 2022 (17.12.x, versions before 17.12.20)
- Visual Studio 2022 (17.14.x, versions before 17.14.31)
- Visual Studio 2025 (18.5.x, versions before 18.5.3)
Vendor Security History
Microsoft maintains a mature and highly structured security response program through the Microsoft Security Response Center (MSRC). MSRC investigates vulnerabilities, coordinates disclosures, and releases security updates on the second Tuesday of each month. The company actively engages with external security researchers through bug bounty programs that have awarded more than $60 million since 2013. The May 2026 Patch Tuesday cycle in which this vulnerability was addressed covered 120 vulnerabilities total, with no zero days reported as exploited in the wild.
References
- Microsoft Security Update Guide: CVE-2026-32177
- NVD Entry for CVE-2026-32177
- CVE.org Record for CVE-2026-32177
- .NET and .NET Framework May 2026 Servicing Updates
- KB5088863: .NET Framework Update for Windows 10 22H2
- KB5088862: .NET Framework Update for Windows Server 2022
- .NET 9.0.16 Release Notes
- .NET 8.0.27 Release Notes
- BleepingComputer: Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days
- BleepingComputer: Microsoft Patch Tuesday May 2026 Report
- CybersecurityNews: Microsoft Patch Tuesday May 2026
- Microsoft Security Blog: How MSRC Coordinates Vulnerability Research and Disclosure



