Voozh

CoreWCF: Pre-authentication infinite-loop CPU exhaustion in CoreWCF net.tcp / net.pipe / net.uds framing handshake

High severity GitHub Reviewed Published in CoreWCF/CoreWCF • Updated

Package

CoreWCF.NetFramingBase (NuGet)

Affected versions

< 1.8.1

>= 1.9.0, < 1.9.1

Patched versions

1.8.1

1.9.1

Description

Impact

An unauthenticated remote attacker can pin one server thread‑pool worker at 100 % CPU per connection. With a few connections, the CPU usage can be exhausted.

Preconditions

An attacker being able to reach a service which is exposing an endpoint using one of NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding.

Patches

Fixed in CoreWCF v1.8.1 and v1.9.1

Workarounds

None

References

GHSA-p86g-xrr2-pf7c

👁 @mconnew
mconnew published to CoreWCF/CoreWCF

Published to the GitHub Advisory Database

Reviewed

Last updated

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS score

Weaknesses

CVE ID

CVE-2026-54772

GHSA ID

GHSA-p86g-xrr2-pf7c

Source code

CoreWCF/CoreWCF

See something to contribute? Suggest improvements for this vulnerability.

URL: https://github.com/advisories/GHSA-p86g-xrr2-pf7c

⇱ CoreWCF: Pre-authentication infinite-loop CPU exhaustion in CoreWCF net.tcp / net.pipe / net.uds framing handshake · CVE-2026-54772 · GitHub Advisory Database · GitHub

CoreWCF: Pre-authentication infinite-loop CPU exhaustion in CoreWCF net.tcp / net.pipe / net.uds framing handshake

Package

Affected versions

Patched versions

Description

Impact

Preconditions

Patches

Workarounds

References

Severity

CVSS v3 base metrics

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code