GHSA-p86g-xrr2-pf7cHighCVSS 7.5

CoreWCF: Pre-authentication infinite-loop CPU exhaustion in CoreWCF net.tcp / net.pipe / net.uds framing handshake

Published
June 19, 2026
Last Modified
June 19, 2026

🔗 CVE IDs covered (1)

📋 Description

Impact

An unauthenticated remote attacker can pin one server thread‑pool worker at 100 % CPU per connection. With a few connections, the CPU usage can be exhausted.

Preconditions

An attacker being able to reach a service which is exposing an endpoint using one of NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

🎯 Affected products2

  • nuget/CoreWCF.NetFramingBase:< 1.8.1
  • nuget/CoreWCF.NetFramingBase:>= 1.9.0, < 1.9.1

🔗 References (2)