{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft.netcore.app.runtime.win-x64/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":4.3,"id":"CVE-2026-32175"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":[".NET 8.0",".NET 9.0",".NET 10.0","Microsoft.NetCore.App.Runtime.win-arm","Microsoft.NetCore.App.Runtime.win-arm64","Microsoft.NetCore.App.Runtime.win-x64","Microsoft.NetCore.App.Runtime.win-x86"],"_cs_severities":["high"],"_cs_tags":["cve","tampering","dotnet"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eMicrosoft has released a security advisory regarding a tampering vulnerability, CVE-2026-32175, affecting .NET 8.0, .NET 9.0, and .NET 10.0. The vulnerability stems from .NET Core\u0026rsquo;s improper handling of specially crafted files. Successful exploitation could allow an attacker to write arbitrary files and directories to specific locations on a vulnerable system. However, the attacker\u0026rsquo;s control over the destination of these files and directories is limited. To exploit this vulnerability, an attacker must send a specially crafted file to a vulnerable system. The advisory provides guidance for developers to update their applications to remediate this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious file designed to exploit the .NET Core tampering vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker transmits the specially crafted file to a system running a vulnerable version of .NET Core (8.0, 9.0, or 10.0).\u003c/li\u003e\n\u003cli\u003eThe vulnerable .NET Core application processes the malicious file without proper validation.\u003c/li\u003e\n\u003cli\u003eDue to the improper file handling, the attacker gains the ability to write files and directories to the system.\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to write malicious files to locations where they can be executed or used for further exploitation.\u003c/li\u003e\n\u003cli\u003eWhile the attacker\u0026rsquo;s control over the exact destination is limited, they can potentially overwrite existing files or create new ones in accessible directories.\u003c/li\u003e\n\u003cli\u003eIf the attacker successfully writes executable files, they can achieve code execution on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to perform malicious activities, such as data exfiltration or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32175 allows an attacker to write arbitrary files and directories on a vulnerable system. While the attacker\u0026rsquo;s control over the write destination is limited, they can potentially overwrite existing files or create new ones in accessible directories. This can lead to code execution, data exfiltration, or further system compromise. The vulnerability affects applications using .NET 8.0, .NET 9.0, and .NET 10.0 on Windows platforms.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to the latest versions of .NET 8.0, .NET 9.0, and .NET 10.0 to patch CVE-2026-32175, as described in the Microsoft advisory.\u003c/li\u003e\n\u003cli\u003eFor applications referencing the vulnerable packages, update the package references to the patched versions (e.g., update Microsoft.NetCore.App.Runtime.win-* to versions 8.0.27, 9.0.16, or 10.0.8).\u003c/li\u003e\n\u003cli\u003eRecompile and redeploy self-contained applications targeting the impacted .NET versions, as the deployed applications are also vulnerable.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule targeting file creation events associated with .NET processes to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T19:08:39Z","date_published":"2026-05-18T19:08:39Z","id":"https://feed.craftedsignal.io/briefs/2026-05-dotnet-tampering-vuln/","summary":"A tampering vulnerability exists in .NET 8.0, .NET 9.0, and .NET 10.0 due to improper handling of specially crafted files, potentially allowing an attacker to write arbitrary files and directories to specific locations on a vulnerable system with limited control over the destination.","title":"CVE-2026-32175 .NET Core Tampering Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-dotnet-tampering-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft.NetCore.App.Runtime.win-X64","version":"https://jsonfeed.org/version/1.1"}