CVE-2026-45591
Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.
CVSS
7.5
High
EPSS
2.4%
p82
KEV
—
Exploit Today
25
0-100
Published: Jun 9, 2026 · Last modified: Jul 15, 2026 · CWE-400 · CWE-770
2.4%EPSS · 30 days2.4%
2026-06-302026-07-16
Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.
- msrc.microsoft.comhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45591
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:17527
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25110
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25111
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25112
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25113
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25114
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25115
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25220
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25221
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:25222
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26638
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:26994
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:28007
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:28009
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:28011
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:28051
- access.redhat.comhttps://access.redhat.com/errata/RHSA-2026:28227
- access.redhat.comhttps://access.redhat.com/security/cve/CVE-2026-45591
- bugzilla.redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2487224
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2026-217107.5 HIG97.8%
——29A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`.
When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` to be called on a non-array. This exception is thrown synchronously inside a property getter and cannot be intercepted by `error` event listeners, meaning it cannot be handled without wrapping every `req.headersDistinct` access in a `try/catch`.
* This vulnerability affects all Node.js HTTP servers on **20.x, 22.x, 24.x, and v25.x**2dCVE-2025-594657.5 HIG88.7%
——27A malformed `HTTP/2 HEADERS` frame with oversized, invalid `HPACK` data can cause Node.js to crash by triggering an unhandled `TLSSocket` error `ECONNRESET`. Instead of safely closing the connection, the process crashes, enabling a remote denial of service. This primarily affects applications that do not attach explicit error handlers to secure sockets, for example:
```
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```2dCVE-2026-261307.5 HIG85.0%
——25Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.2dCVE-2026-489337.5 HIG84.9%
——25A flaw in Node.js WebCrypto implementation can crash the process if the input of `subtle.encrypt()` is a multiple of 2GiB.
This vulnerability affects all supported release lines: **Node.js 22**, **Node.js 24**, and **Node.js 26**.11hCVE-2026-238647.5 HIG82.9%
——25Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack.
The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code.
Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components.2dCVE-2021-366307.5 HIG80.5%
——24DDOS reflection amplification vulnerability in eAut module of Ruckus Wireless SmartZone controller that allows remote attackers to perform DOS attacks via crafted request.8d