Microsoft Security Advisory CVE-2026-45591 – ASP.NET Core Denial of Service Vulnerability

When

2026-06-15 20:11 UTC

Where

Global (internet)

Category

cyber_advisory · nuget

## Executive summary Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core SignalR and Blazor Server. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in the MessagePack hub protocol used by SignalR and Blazor Server where an attacker can send deeply-nested MessagePack arrays to cause a stack overflow, resulting in a denial of service. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/405 ## Affected Platforms - **Platforms:** All - **Architectures:** All ## <a name="affected-packages"></a>Affected Packages The vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below ### <a name=".NET 10"></a>.NET 10 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm) | >= 10.0.0, <= 10.0.8 | 10.0.9 [Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64) | >= 10.0.0, <= 10.0.8 | 10.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm) | >= 10.0.0, <= 10.0.8 | 10.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64) | >= 10.0.0, <= 10.0.8 | 10.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64) | >= 10.0.0, <= 10.0.8 | 10.0.9 [Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64) | >= 10.0.0, <= 10.0.8 | 10.0.9 [Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64) | >= 10.0.0, <= 10.0.8 | 10.0.9 [Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64) | >= 10.0.0, <= 10.0.8 | 10.0.9 [Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm) | >= 10.0.0, <= 10.0.8 | 10.0.9 [Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64) | >= 10.0.0, <= 10.0.8 | 10.0.9 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64) | >= 10.0.0, <= 10.0.8 | 10.0.9 [Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86) | >= 10.0.0, <= 10.0.8 | 10.0.9 ### <a name=".NET 10 SignalR"></a>Microsoft.AspNetCore.SignalR.Protocols.MessagePack (.NET 10) Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.SignalR.Protocols.MessagePack](https://www.nuget.org/packages/Microsoft.AspNetCore.SignalR.Protocols.MessagePack) | >= 10.0.0, <= 10.0.8 | 10.0.9 ### <a name=".NET 9"></a>.NET 9 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm) | >= 9.0.0, <= 9.0.16 | 9.0.17 [Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64) | >= 9.0.0, <= 9.0.16 | 9.0.17 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm) | >= 9.0.0, <= 9.0.16 | 9.0.17 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64) | >= 9.0.0, <= 9.0.16 | 9.0.17 [Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64) | >= 9.0.0, <= 9.0.16 | 9.0.17 [Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64) | >= 9.0.0, <= 9.0.16 | 9.0.17 [Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64) | >= 9.0.0, <= 9.0.16 | 9.0.17 [Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64) | >= 9.0.0, <= 9.0.16 | 9.0.17 [Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm) | >= 9.0.0, <= 9.0.16 | 9.0.17 [Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64) | >= 9.0.0, <= 9.0.16 | 9.0.17 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64) | >= 9.0.0, <= 9.0.16 | 9.0.17 [Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86) | >= 9.0.0, <= 9.0.16 | 9.0.17 ### <a name=".NET 9 SignalR"></a>Microsoft.AspNetCore.SignalR.Protocols.MessagePack (.NET 9) Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.SignalR.Protocols.MessagePack](https://www.nuget.org/packages/Microsoft.AspNetCore.SignalR.Protocols.MessagePack) | >= 9.0.0, <= 9.0.16 | 9.0.17 ### <a name=".NET 8"></a>.NET 8 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm) | >= 8.0.0, <= 8.0.27 | 8.0.28 [Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64) | >= 8.0.0, <= 8.0.27 | 8.0.28 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm) | >= 8.0.0, <= 8.0.27 | 8.0.28 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64) | >= 8.0.0, <= 8.0.27 | 8.0.28 [Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64) | >= 8.0.0, <= 8.0.27 | 8.0.28 [Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64) | >= 8.0.0, <= 8.0.27 | 8.0.28 [Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64) | >= 8.0.0, <= 8.0.27 | 8.0.28 [Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64) | >= 8.0.0, <= 8.0.27 | 8.0.28 [Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm) | >= 8.0.0, <= 8.0.27 | 8.0.28 [Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64) | >= 8.0.0, <= 8.0.27 | 8.0.28 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64) | >= 8.0.0, <= 8.0.27 | 8.0.28 [Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86) | >= 8.0.0, <= 8.0.27 | 8.0.28 ### <a name=".

Sources

• GitHub Advisory Database ↗ · first seen 2026-06-15 20:11 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map