{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dotnet/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["defense-in-depth","resource-exhaustion","information-disclosure","dotnet"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMeridian versions before 2.1.1 contain multiple vulnerabilities stemming from defense-in-depth gaps within the \u003ccode\u003eMeridian.Mapping\u003c/code\u003e and \u003ccode\u003eMeridian.Mediator\u003c/code\u003e components. Two high-severity issues involve bypassing the advertised \u003ccode\u003eDefaultMaxCollectionItems\u003c/code\u003e and \u003ccode\u003eDefaultMaxDepth\u003c/code\u003e safety caps, particularly when using the \u003ccode\u003eIMapper.Map(source, destination)\u003c/code\u003e overload or \u003ccode\u003e.UseDestinationValue()\u003c/code\u003e on collection-typed properties. These flaws can lead to resource exhaustion. Additional medium-severity issues include constructor invariant bypass, OpenTelemetry stack-trace information disclosure, retry amplification, and notification fan-out amplification. The vulnerabilities were patched in version 2.1.1, released on April 16, 2026. The issues affect applications using the Meridian library for object-object mapping and mediation. Successful exploitation could lead to denial-of-service conditions, information disclosure, and unexpected application behavior.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a crafted request to an application using Meridian, including a large or self-referential collection in the request payload.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s mapping logic utilizes \u003ccode\u003eIMapper.Map(source, destination)\u003c/code\u003e or \u003ccode\u003e.UseDestinationValue()\u003c/code\u003e on a collection property, triggering the vulnerable code path.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eMappingEngine.TryMapCollectionOntoExisting\u003c/code\u003e method processes the collection without enforcing \u003ccode\u003eDefaultMaxCollectionItems\u003c/code\u003e, leading to excessive memory consumption.\u003c/li\u003e\n\u003cli\u003eCollection-item recursion fails to increment \u003ccode\u003eResolutionContext.Depth\u003c/code\u003e, allowing self-referential graphs to bypass \u003ccode\u003eDefaultMaxDepth\u003c/code\u003e and cause a stack overflow.\u003c/li\u003e\n\u003cli\u003eThe unbounded collection processing consumes excessive CPU and memory resources, potentially blocking the worker thread.\u003c/li\u003e\n\u003cli\u003eAlternatively, an attacker exploits the \u003ccode\u003eObjectCreator.CreateWithConstructorMapping\u003c/code\u003e vulnerability by providing input that bypasses constructor invariants due to the widest constructor being selected.\u003c/li\u003e\n\u003cli\u003eThe application experiences a denial-of-service condition due to resource exhaustion or exhibits unintended behavior due to bypassed constructor invariants.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of these vulnerabilities can lead to significant consequences. An attacker can cause denial-of-service by exhausting server resources, potentially impacting all users of the affected application. Information disclosure is possible through OpenTelemetry stack traces, and bypassing constructor invariants can lead to unexpected application behavior and potential data corruption. The high-severity vulnerabilities related to collection mapping are particularly concerning due to the potential for easy exploitation through a single crafted request. The impact is mitigated by upgrading to version 2.1.1 of the \u003ccode\u003eMeridian.Mapping\u003c/code\u003e and \u003ccode\u003eMeridian.Mediator\u003c/code\u003e libraries.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade to Meridian version 2.1.1 to patch the identified vulnerabilities, as documented in the \u003ca href=\"https://github.com/UmutKorkmaz/meridian/blob/main/CHANGELOG.md#211---2026-04-16\"\u003ev2.1.1 CHANGELOG\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eFor applications that cannot be immediately upgraded, avoid using \u003ccode\u003emapper.Map(src, dst)\u003c/code\u003e and \u003ccode\u003e.UseDestinationValue()\u003c/code\u003e on collection-typed destination members as a temporary workaround.\u003c/li\u003e\n\u003cli\u003eImplement explicit size limits on input collection deserialization before passing the payload to Meridian, as described in the \u003ca href=\"#workarounds\"\u003eWorkarounds section\u003c/a\u003e of this brief.\u003c/li\u003e\n\u003cli\u003eConsider disabling OpenTelemetry \u003ccode\u003eexception.stacktrace\u003c/code\u003e tag emission if your trace sink is not fully trusted, mitigating potential information disclosure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-17T12:00:00Z","date_published":"2026-04-17T12:00:00Z","id":"/briefs/2026-04-17-meridian-defense-gaps/","summary":"Multiple defense-in-depth gaps exist in Meridian versions prior to 2.1.1, including high severity issues related to bypassing safety caps on collection mapping that can lead to resource exhaustion, along with medium and low severity issues affecting constructor selection, telemetry, retry mechanisms, and exception handling.","title":"Meridian Library Multiple Defense-in-Depth Gaps","url":"https://feed.craftedsignal.io/briefs/2026-04-17-meridian-defense-gaps/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-26171"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["CVE-2026-26171","dotnet","denial-of-service","dos","resource-consumption"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-26171 is a denial-of-service vulnerability affecting the .NET framework. This vulnerability stems from uncontrolled resource consumption, allowing an unauthenticated remote attacker to exhaust server resources. The vulnerability was published on April 14, 2026. Successful exploitation can lead to server unresponsiveness or complete service disruption. While the specific attack vector is not detailed in the source document, similar vulnerabilities in .NET have been exploited via crafted network requests that trigger excessive memory allocation or CPU usage. This vulnerability could affect any application running on a vulnerable .NET framework version, making it critical for organizations to patch their systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a .NET application running on a vulnerable system exposed to the network.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious network request designed to exploit the uncontrolled resource consumption vulnerability (CVE-2026-26171).\u003c/li\u003e\n\u003cli\u003eThe crafted request is sent to the vulnerable .NET application.\u003c/li\u003e\n\u003cli\u003eThe application processes the malicious request, triggering excessive resource allocation (e.g., memory or CPU).\u003c/li\u003e\n\u003cli\u003eRepeated or sustained malicious requests cause the server\u0026rsquo;s resources to become exhausted.\u003c/li\u003e\n\u003cli\u003eLegitimate user requests are delayed or rejected due to resource exhaustion.\u003c/li\u003e\n\u003cli\u003eThe .NET application becomes unresponsive, leading to a denial-of-service condition.\u003c/li\u003e\n\u003cli\u003eThe server hosting the .NET application may crash, resulting in complete service disruption.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-26171 can lead to a denial-of-service condition, rendering .NET applications and the services they provide unavailable. The impact ranges from temporary service disruption to complete server crashes. The vulnerability has a CVSS v3.1 score of 7.5, indicating a high severity. The number of affected applications depends on the prevalence of vulnerable .NET framework versions within an organization\u0026rsquo;s infrastructure. If successfully exploited, this can lead to significant business interruption and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch provided by Microsoft for CVE-2026-26171 as soon as possible to remediate the vulnerability (\u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26171)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26171)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious patterns indicative of denial-of-service attacks, such as a sudden surge in requests to .NET application endpoints. Deploy the Sigma rule detecting a high number of connections from a single source IP.\u003c/li\u003e\n\u003cli\u003eImplement resource monitoring on servers running .NET applications to detect unusual CPU or memory usage that may indicate exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden network segmentation to limit the potential impact of a successful denial-of-service attack.\u003c/li\u003e\n\u003cli\u003eConsider using a Web Application Firewall (WAF) to filter malicious requests and mitigate potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-dotnet-dos/","summary":"CVE-2026-26171 is a vulnerability in .NET that allows an unauthorized attacker to perform a denial-of-service attack over a network due to uncontrolled resource consumption.","title":".NET Uncontrolled Resource Consumption Vulnerability (CVE-2026-26171)","url":"https://feed.craftedsignal.io/briefs/2026-04-dotnet-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-32178"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["dotnet","spoofing","cve-2026-32178"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-32178 is a security vulnerability affecting .NET applications. This vulnerability stems from the improper neutralization of special elements, which can be exploited by an unauthorized attacker to perform spoofing attacks over a network. Successful exploitation of this vulnerability could allow an attacker to impersonate trusted entities or services, potentially leading to unauthorized access, data manipulation, or other malicious activities. The vulnerability was published on April 14, 2026. Given the widespread use of .NET in various applications and services, this vulnerability poses a significant risk to organizations utilizing affected .NET versions. Defenders need to implement appropriate mitigation strategies to prevent potential exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable .NET application that processes network-based input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious network request containing special elements designed to exploit the improper neutralization vulnerability (CVE-2026-32178).\u003c/li\u003e\n\u003cli\u003eThe vulnerable .NET application processes the malicious request without properly neutralizing the special elements.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper neutralization, the application misinterprets the special elements in the request.\u003c/li\u003e\n\u003cli\u003eThe application performs actions based on the misinterpreted data, such as modifying data or granting unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the spoofed identity or altered data to further compromise the system or network.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-32178 could allow an attacker to perform network spoofing, potentially impacting confidentiality, integrity, and availability of affected systems. While the specific number of victims is unknown, the widespread use of .NET increases the potential for broad impact across various sectors. Consequences can range from data breaches and financial loss to reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security update provided by Microsoft to patch CVE-2026-32178 as referenced in \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32178\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32178\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM to detect potential exploitation attempts targeting .NET applications.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious patterns indicative of spoofing attacks, focusing on traffic to and from .NET applications.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T18:17:20Z","date_published":"2026-04-14T18:17:20Z","id":"/briefs/2026-04-dotnet-spoofing/","summary":"CVE-2026-32178 is a vulnerability in .NET that allows for network spoofing due to improper neutralization of special elements, potentially enabling attackers to impersonate legitimate entities.","title":".NET Spoofing Vulnerability (CVE-2026-32178)","url":"https://feed.craftedsignal.io/briefs/2026-04-dotnet-spoofing/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2026-39959"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["dbus","vulnerability","dotnet"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eTmds.DBus is a .NET library used for interacting with the D-Bus inter-process communication system. A vulnerability exists in versions prior to 0.92.0 for Tmds.DBus and 0.92.0 and 0.21.3 for Tmds.DBus.Protocol, allowing a malicious D-Bus peer on the same bus to perform several malicious actions. These include spoofing signals by impersonating the owner of a well-known name, exhausting system resources by sending messages with an excessive number of Unix file descriptors, and crashing the application by sending malformed message bodies that cause unhandled exceptions on the SynchronizationContext. This vulnerability could lead to denial of service or potentially allow for further exploitation within the affected application\u0026rsquo;s context. Defenders need to ensure they are running patched versions of this software.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA malicious actor gains access to the same D-Bus instance as the target application.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a well-known name that the target application utilizes.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious D-Bus message designed to impersonate the owner of the well-known name.\u003c/li\u003e\n\u003cli\u003eThe attacker sends this spoofed signal to the target application through the D-Bus.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker crafts a D-Bus message with an excessive number of Unix file descriptors.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the resource-intensive message, attempting to exhaust system resources.\u003c/li\u003e\n\u003cli\u003eOr the attacker crafts a malformed message body designed to cause an unhandled exception.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to signal spoofing, resource exhaustion, or application crash, potentially leading to denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a malicious actor to disrupt services that rely on Tmds.DBus. By spoofing signals, an attacker can manipulate the behavior of applications. By exhausting system resources or crashing applications, the attacker can cause denial of service. While the specific number of victims or sectors affected is not detailed, the potential impact is significant for systems using vulnerable versions of Tmds.DBus.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Tmds.DBus to version 0.92.0 or later and Tmds.DBus.Protocol to version 0.92.0 or 0.21.3 or later to remediate CVE-2026-39959.\u003c/li\u003e\n\u003cli\u003eMonitor D-Bus traffic for suspicious patterns, such as messages with excessive file descriptors, by creating custom monitoring tools.\u003c/li\u003e\n\u003cli\u003eImplement application-level validation of D-Bus messages to prevent exploitation through malformed message bodies.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T17:16:30Z","date_published":"2026-04-09T17:16:30Z","id":"/briefs/2026-04-tmds-dbus-vuln/","summary":"Tmds.DBus and Tmds.DBus.Protocol are vulnerable to signal spoofing, resource exhaustion, and application crashes due to malformed messages from malicious D-Bus peers on the same bus.","title":"Tmds.DBus Vulnerability Allows Signal Spoofing and Resource Exhaustion","url":"https://feed.craftedsignal.io/briefs/2026-04-tmds-dbus-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["powershell","reflection","dotnet","memory-injection","attack.execution","attack.t1059.001"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief addresses the use of PowerShell to load .NET assemblies into memory using reflection, a technique frequently observed in advanced attacks. Threat actors, including those employing frameworks like Empire and Cobalt Strike, utilize this method to execute code directly in memory, evading traditional file-based security controls. The detection strategy focuses on PowerShell Script Block Logging (EventCode=4104), which captures the full commands executed, enabling analysis for specific reflection-related keywords. This behavior is a strong indicator of potential malicious activity, as it allows for unauthorized code execution, privilege escalation, and persistent access. Defenders should prioritize detection and response to such events to mitigate the risk of compromise. The technique allows attackers to bypass traditional defenses, execute code in memory, and potentially establish persistence within the targeted environment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInitial Access: The attacker gains initial access to the system, possibly through phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003ePowerShell Execution: The attacker executes PowerShell, often obfuscated or encoded, to avoid detection.\u003c/li\u003e\n\u003cli\u003eReflection Assembly Loading: The PowerShell script uses reflection techniques, such as \u003ccode\u003e[System.Reflection.Assembly]::Load()\u003c/code\u003e, to load a .NET assembly directly into memory.\u003c/li\u003e\n\u003cli\u003eBypassing Security Controls: The in-memory execution bypasses traditional security controls that scan files on disk.\u003c/li\u003e\n\u003cli\u003eMalicious Code Execution: The loaded assembly contains malicious code, which could be a payload for lateral movement, data exfiltration, or other malicious activities.\u003c/li\u003e\n\u003cli\u003ePrivilege Escalation: The malicious code may attempt to escalate privileges to gain higher-level access to the system.\u003c/li\u003e\n\u003cli\u003ePersistence: The attacker establishes persistence by creating scheduled tasks or modifying registry keys.\u003c/li\u003e\n\u003cli\u003eLateral Movement: The attacker uses the compromised system as a springboard to move laterally within the network, compromising additional systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to unauthorized code execution, privilege escalation, and persistent access within the environment. By loading .NET assemblies directly into memory, attackers can bypass traditional file-based security controls, making detection more challenging. This technique is often employed in advanced attacks, potentially affecting numerous systems across the network, leading to significant data breaches and system compromise. While specific victim counts are not available, the impact is considered high due to the potential for widespread damage and data loss.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging (EventCode=4104) on all endpoints to capture the full commands executed, as referenced in the description.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect PowerShell scripts loading .NET assemblies into memory via reflection.\u003c/li\u003e\n\u003cli\u003eInvestigate and remediate any alerts generated by the Sigma rules, prioritizing systems with high-value data or critical functions.\u003c/li\u003e\n\u003cli\u003eRegularly review and update PowerShell execution policies to restrict the execution of unsigned or untrusted scripts.\u003c/li\u003e\n\u003cli\u003eMonitor PowerShell logs for suspicious activity, such as the use of reflection techniques to load assemblies from unusual locations.\u003c/li\u003e\n\u003cli\u003eConsult the references provided, specifically the Microsoft .NET API documentation and the Palantir article on event tracing, to deepen your understanding of the attack techniques and potential mitigations.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-03-powershell-reflection-load/","summary":"This analytic detects PowerShell scripts leveraging .NET reflection to load assemblies into memory, a technique commonly used by threat actors to bypass defenses and execute malicious code.","title":"PowerShell Loading .NET Assemblies via Reflection","url":"https://feed.craftedsignal.io/briefs/2024-01-03-powershell-reflection-load/"}],"language":"en","title":"CraftedSignal Threat Feed — Dotnet","version":"https://jsonfeed.org/version/1.1"}