CVE-2026-21218: .NET Spoofing Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N/E:U/RL:O/RC:C

Category

Spoofing

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-Feb

Released

2026-02-10

EPSS Score

0.04% (percentile: 13.3%)

Description

Improper handling of missing special element in .NET allows an unauthorized attacker to perform spoofing over a network.

FAQ

According to the CVSS metric, the privileges required is none (PR:N). What does that mean for this vulnerability? The score is based on no user account is needed to perform the attack. According to the CVSS metrics, successful exploitation of this vulnerability could lead to no loss of confidentiality (C:N) and availability (A:L), but could lead to major loss of integrity (I:H). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could bypass critical-header validation and the service may accept a message it should reject.

Affected Products (9)

Developer Tools

• .NET 10.0 installed on Mac OS
• .NET 10.0 installed on Windows
• .NET 8.0 installed on Linux
• .NET 8.0 installed on Windows
• .NET 10.0 installed on Linux
• .NET 8.0 installed on Mac OS
• .NET 9.0 installed on Mac OS
• .NET 9.0 installed on Linux
• .NET 9.0 installed on Windows

Security Updates (3)

• 5077862
• 5077863
• 5077864

Acknowledgments

<a href="https://github.com/vcsjones">vcsjones</a> with GitHub

Revision History

• 2026-02-10: Information published.