.NET Flaws Let Attackers Write Files and Crash Apps

New .NET vulnerabilities could let attackers write arbitrary files to your system or trigger a denial-of-service attack.

A security notice has revealed two significant vulnerabilities in the .NET framework, a core technology used for building a wide range of applications. The first issue, identified as CVE-2026-45491, involves improper handling of file links. This flaw could allow a local attacker to bypass security restrictions and write files to unauthorized locations on a server or workstation. Essentially, an attacker could tamper with system files or plant malicious code outside of the expected directory, leading to further system compromise. The second vulnerability relates to how .NET processes deeply-nested data structures, specifically MessagePack arrays. An attacker could craft a malicious data packet that, when processed by a .NET application, consumes an excessive amount of system resources. This would effectively crash the application or the server it runs on, resulting in a denial-of-service (DoS) attack that makes the service unavailable to legitimate users.

These vulnerabilities pose a serious risk to any organization that develops or runs software built on .NET. The arbitrary file write flaw is particularly dangerous, as it could be a stepping stone for more complex attacks, including privilege escalation or persistent malware installation. The denial-of-service vulnerability threatens the availability and reliability of critical business applications, potentially leading to operational disruptions and damage to customer trust. Any public-facing application or internal service using a vulnerable version of the .NET framework is a potential target. Because .NET is so widely adopted for web services, desktop applications, and cloud infrastructure, the potential impact is broad. Promptly addressing these flaws is crucial to maintaining a secure and stable operational environment.