CVE-2026-32175
EUVD-2026-2957112.05.2026, 18:16
A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this vulnerability could write arbitrary files and directories to certain locations on a vulnerable system. However, an attacker would have limited control over the destination of the files and directories. To exploit the vulnerability, an attacker must send a specially crafted file to a vulnerable system. The security update fixes the vulnerability by ensuring .NET Core properly handles files.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| microsoft | visual_studio_2022 | 17.12.0 ≤ 𝑥 < 17.12.20 |
| microsoft | visual_studio_2022 | 17.14.0 ≤ 𝑥 < 17.14.32 |
| microsoft | visual_studio_2026 | 18.5.0 ≤ 𝑥 < 18.5.3 |
| microsoft | .net | 8.0.0 ≤ 𝑥 < 8.0.27 |
| microsoft | .net | 9.0.0 ≤ 𝑥 < 9.0.16 |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
- CWE-36 - Absolute Path TraversalThe software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.