May 2026: .NET Core Tampering Vulnerability
CVE-2026-32175 Published on May 12, 2026
.NET Core Tampering Vulnerability
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories.
To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system.
The security update fixes the vulnerability by ensuring .NET Core properly handles files.
Weakness Type
Absolute Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Products Associated with CVE-2026-32175
Want to know whenever a new CVE is published for Microsoft products? stack.watch will email you.
Affected Versions
Microsoft .NET 10.0:- Version 10.0.0 and below 10.0.8 is affected.
- Version 8.0.0 and below 8.0.27 is affected.
- Version 9.0.0 and below 9.0.16 is affected.
- Version 15.9.0 and below 15.9.80 is affected.
- Version 16.11.0 and below 16.11.56 is affected.
- Version 17.12.0 and below 17.12.20 is affected.
- Version 17.14.0 and below 17.14.31 is affected.
- Version 18.5.0 and below 18.5.3 is affected.