Introduction
An improper input validation flaw in the .NET runtime, combined with an integer overflow condition, gives a local attacker a path to SYSTEM level privileges on affected Windows systems. Microsoft patched CVE-2026-35433 on May 12, 2026 as part of a Patch Tuesday cycle that addressed 120 security flaws, and while no exploitation has been observed in the wild, the CVSS 7.3 score and the potential for full privilege escalation make this one worth tracking for any organization running modern .NET workloads.
Technical Information
CVE-2026-35433 is classified under two CWE categories: CWE-20 (Improper Input Validation) and CWE-190 (Integer Overflow or Wraparound). The .NET runtime receives input but incorrectly validates whether it has the required properties to process data safely. The dual classification is informative: while the advisory description focuses on input validation, the CWE-190 tag strongly suggests that the vulnerable code path involves integer arithmetic operations that can be manipulated to produce unexpected values, ultimately bypassing privilege boundaries.
Attack Vector and Prerequisites
The attack vector is local. An attacker must already have read, write, or execute capabilities on the target system. The attack complexity is low, meaning no specialized access conditions or race conditions are required. However, successful exploitation does require user interaction: a legitimate user must be tricked into triggering the malicious payload within the affected application.
Impact
If successfully exploited, an attacker can elevate privileges to SYSTEM level. The impact assessment from Microsoft indicates high confidentiality and integrity impact, allowing the attacker to view sensitive information and modify code within repositories. Availability impact is rated low.
What We Know (and Don't Know)
The exact vulnerable subcomponent within the .NET runtime has not been detailed in the available vendor advisories. No public proof of concept code or detailed exploit writeups are available. Based on the CWE-190 classification, the patch likely introduces bounds or arithmetic checks on integer operations that could previously be manipulated during input processing. The combination of input validation failure and integer overflow suggests a scenario where attacker controlled input flows into an arithmetic operation (such as a size or offset calculation) without proper range checking, and the resulting overflow leads to a security boundary violation.
Patch Information
Microsoft addressed CVE-2026-35433 as part of the May 12, 2026 Patch Tuesday servicing cycle. The fix was rolled out simultaneously across all three currently supported .NET release lines.
| .NET Version | Patched Runtime | SDK Versions (with fix) |
|---|---|---|
| .NET 10.0 | 10.0.8 | 10.0.300, 10.0.204, 10.0.108 |
| .NET 9.0 | 9.0.16 | corresponding 9.0.x SDKs |
| .NET 8.0 | 8.0.27 | corresponding 8.0.x SDKs |
An important clarification: this CVE applies only to .NET (Core) 8.0, 9.0, and 10.0. It does not affect .NET Framework (3.5, 4.x). This contrasts with some of the other CVEs released the same day (e.g., CVE-2026-32177) which also touched .NET Framework. The distinction matters for organizations running mixed environments: only the modern .NET runtimes need updating for this specific vulnerability.
The .NET 10.0.8 release notes on GitHub explicitly list CVE-2026-35433 under the "Notable Changes" section, describing it as a ".NET Elevation of Privilege Vulnerability" and confirming that the fix addresses improper input validation. The same advisory text appears in the .NET 9.0.16 release notes, confirming the backport across all affected branches.
Microsoft's official servicing blog post from May 12, 2026, authored by Rahul Bhandari and Tara Overfield, catalogs CVE-2026-35433 alongside CVE-2026-32177, CVE-2026-32175, and CVE-2026-42899 as the security fixes included in this monthly cycle.
Deployment Guidance
To apply the fix, developers and administrators should update to the patched runtime versions and verify using dotnet --version. For containerized workloads, updated Docker images are available on mcr.microsoft.com. Self-contained applications that bundle the .NET runtime will need to be republished against the fixed SDK to incorporate the patch, since the runtime is embedded within the application's output directory in those deployment scenarios.
Administrators should prioritize patching developer workstations, build servers, and application servers where code integrity is critical.
Affected Systems and Versions
The following .NET runtime versions are affected:
- .NET 10.0: All versions prior to 10.0.8
- .NET 9.0: All versions prior to 9.0.16
- .NET 8.0: All versions prior to 8.0.27
.NET Framework 3.5 and 4.x are not affected by this specific CVE.
The vulnerability applies to .NET runtimes running on Windows. The attack vector is local, so only systems where an attacker already has some level of access are at risk.
Vendor Security History
The May 2026 Patch Tuesday cycle addressed 120 security flaws across Microsoft's product portfolio, with zero actively exploited vulnerabilities at the time of release. Within the .NET servicing updates specifically, CVE-2026-35433 was released alongside CVE-2026-32177, CVE-2026-32175, and CVE-2026-42899, indicating that multiple security issues were addressed in the .NET runtime during this cycle. Microsoft coordinates its security patches through the Microsoft Security Response Center (MSRC), which provides exploitability assessments, detailed advisories, and automated API access for security updates.
References
- CVE-2026-35433: MSRC Security Update Guide
- CVE-2026-35433: NVD Detail Page
- .NET and .NET Framework May 2026 Servicing Releases Updates (.NET Blog)
- .NET 10.0.8 Release Notes (GitHub)
- .NET 9.0.16 Release Notes (GitHub)
- CVE-2026-35433 on VulDB
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero days (BleepingComputer)
- The May 2026 Security Update Review (Zero Day Initiative)
- KB5087048: Security and Quality Rollup for .NET Framework 3.5 for Windows Server 2012
- KB5087067: Security and Quality Rollup for .NET Framework 4.8 for Windows Server 2012



