ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-35433 — .NET Elevation of Privilege via Improper Input Validation and Integer Overflow

A short review of CVE-2026-35433, an elevation of privilege vulnerability in .NET 8.0, 9.0, and 10.0 caused by improper input validation and integer overflow. Includes patch details and affected version information.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-13

Brief Summary: CVE-2026-35433 — .NET Elevation of Privilege via Improper Input Validation and Integer Overflow
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An improper input validation flaw in the .NET runtime, combined with an integer overflow condition, gives a local attacker a path to SYSTEM level privileges on affected Windows systems. Microsoft patched CVE-2026-35433 on May 12, 2026 as part of a Patch Tuesday cycle that addressed 120 security flaws, and while no exploitation has been observed in the wild, the CVSS 7.3 score and the potential for full privilege escalation make this one worth tracking for any organization running modern .NET workloads.

Technical Information

CVE-2026-35433 is classified under two CWE categories: CWE-20 (Improper Input Validation) and CWE-190 (Integer Overflow or Wraparound). The .NET runtime receives input but incorrectly validates whether it has the required properties to process data safely. The dual classification is informative: while the advisory description focuses on input validation, the CWE-190 tag strongly suggests that the vulnerable code path involves integer arithmetic operations that can be manipulated to produce unexpected values, ultimately bypassing privilege boundaries.

Attack Vector and Prerequisites

The attack vector is local. An attacker must already have read, write, or execute capabilities on the target system. The attack complexity is low, meaning no specialized access conditions or race conditions are required. However, successful exploitation does require user interaction: a legitimate user must be tricked into triggering the malicious payload within the affected application.

Impact

If successfully exploited, an attacker can elevate privileges to SYSTEM level. The impact assessment from Microsoft indicates high confidentiality and integrity impact, allowing the attacker to view sensitive information and modify code within repositories. Availability impact is rated low.

What We Know (and Don't Know)

The exact vulnerable subcomponent within the .NET runtime has not been detailed in the available vendor advisories. No public proof of concept code or detailed exploit writeups are available. Based on the CWE-190 classification, the patch likely introduces bounds or arithmetic checks on integer operations that could previously be manipulated during input processing. The combination of input validation failure and integer overflow suggests a scenario where attacker controlled input flows into an arithmetic operation (such as a size or offset calculation) without proper range checking, and the resulting overflow leads to a security boundary violation.

Patch Information

Microsoft addressed CVE-2026-35433 as part of the May 12, 2026 Patch Tuesday servicing cycle. The fix was rolled out simultaneously across all three currently supported .NET release lines.

.NET VersionPatched RuntimeSDK Versions (with fix)
.NET 10.010.0.810.0.300, 10.0.204, 10.0.108
.NET 9.09.0.16corresponding 9.0.x SDKs
.NET 8.08.0.27corresponding 8.0.x SDKs

An important clarification: this CVE applies only to .NET (Core) 8.0, 9.0, and 10.0. It does not affect .NET Framework (3.5, 4.x). This contrasts with some of the other CVEs released the same day (e.g., CVE-2026-32177) which also touched .NET Framework. The distinction matters for organizations running mixed environments: only the modern .NET runtimes need updating for this specific vulnerability.

The .NET 10.0.8 release notes on GitHub explicitly list CVE-2026-35433 under the "Notable Changes" section, describing it as a ".NET Elevation of Privilege Vulnerability" and confirming that the fix addresses improper input validation. The same advisory text appears in the .NET 9.0.16 release notes, confirming the backport across all affected branches.

Microsoft's official servicing blog post from May 12, 2026, authored by Rahul Bhandari and Tara Overfield, catalogs CVE-2026-35433 alongside CVE-2026-32177, CVE-2026-32175, and CVE-2026-42899 as the security fixes included in this monthly cycle.

Deployment Guidance

To apply the fix, developers and administrators should update to the patched runtime versions and verify using dotnet --version. For containerized workloads, updated Docker images are available on mcr.microsoft.com. Self-contained applications that bundle the .NET runtime will need to be republished against the fixed SDK to incorporate the patch, since the runtime is embedded within the application's output directory in those deployment scenarios.

Administrators should prioritize patching developer workstations, build servers, and application servers where code integrity is critical.

Affected Systems and Versions

The following .NET runtime versions are affected:

  • .NET 10.0: All versions prior to 10.0.8
  • .NET 9.0: All versions prior to 9.0.16
  • .NET 8.0: All versions prior to 8.0.27

.NET Framework 3.5 and 4.x are not affected by this specific CVE.

The vulnerability applies to .NET runtimes running on Windows. The attack vector is local, so only systems where an attacker already has some level of access are at risk.

Vendor Security History

The May 2026 Patch Tuesday cycle addressed 120 security flaws across Microsoft's product portfolio, with zero actively exploited vulnerabilities at the time of release. Within the .NET servicing updates specifically, CVE-2026-35433 was released alongside CVE-2026-32177, CVE-2026-32175, and CVE-2026-42899, indicating that multiple security issues were addressed in the .NET runtime during this cycle. Microsoft coordinates its security patches through the Microsoft Security Response Center (MSRC), which provides exploitability assessments, detailed advisories, and automated API access for security updates.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization