CVE-2026-35433: .NET Elevation of Privilege Vulnerability

Overview

Severity

High (CVSS 7.3)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L/E:U/RL:O/RC:C

Category

Elevation of Privilege

Exploit Status

Not Exploited

Exploitation Likelihood

Unlikely

Patch Tuesday

2026-May

Released

2026-05-12

Description

Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.

FAQ

What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that a user trigger the payload in the application. According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and integrity (I:H), and some loss of availability (A:L). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could view sensitive information (Confidentiality) and modify code in the repo, (Integrity), and they might be able to interfere with availability of the code (Availability).

Affected Products (3)

Developer Tools

• .NET 10.0 installed on Windows
• .NET 8.0 installed on Windows
• .NET 9.0 installed on Windows

Security Updates (3)

• 5093446
• 5093447
• 5093448

Acknowledgments

Ky0toFu

Revision History

• 2026-05-12: Information published.