CVE-2026-54772 in CoreWCFinfo

Summary

by MITRE • 07/09/2026

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, an unauthenticated remote attacker that can reach a NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding endpoint can trigger premature EOF handling in the CoreWCF net.tcp, net.pipe, or net.uds framing handshake and pin one server thread-pool worker at full CPU per connection. This issue is fixed in versions 1.8.1 and 1.9.1.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/09/2026

This vulnerability affects CoreWCF implementations running on .NET Core platforms where service endpoints are configured with NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding. The flaw represents a denial of service condition that can be exploited by unauthenticated remote attackers who have network access to these specific binding endpoints. The vulnerability stems from improper handling of premature end-of-file conditions during the framing handshake process for these transport protocols.

The technical implementation flaw occurs within CoreWCF's transport layer handling mechanism where the system fails to properly validate or handle connection termination scenarios during the initial handshake phase. When an attacker establishes a connection to one of these binding endpoints and then abruptly terminates the connection before proper protocol negotiation completes, the system enters a state where it cannot properly clean up the connection resources. This results in a thread-pool worker being pinned at 100% CPU utilization for the duration of the connection attempt, effectively consuming system resources without making progress.

The operational impact of this vulnerability is significant for systems running CoreWCF services that expose these specific bindings to untrusted networks. An attacker can exhaust available thread pool workers by establishing multiple connections and then dropping them prematurely, leading to resource exhaustion and potential service disruption. This behavior aligns with CWE-400 weakness category related to resource exhaustion and demonstrates characteristics consistent with ATT&CK technique T1499.004 for network denial of service attacks targeting specific protocols.

The vulnerability specifically affects the framing handshake process that occurs before application-level communication begins, making it particularly effective as a resource exhaustion attack vector. The affected transport protocols net.tcp, net.pipe, and net.uds all share similar implementation patterns in CoreWCF's handling of connection lifecycle events, which explains why all three binding types are vulnerable. This represents a protocol-level flaw rather than an application-level issue, meaning that any service using these bindings is susceptible regardless of the specific application logic being implemented.

Mitigation strategies should focus on upgrading to versions 1.8.1 or 1.9.1 where the fix has been implemented. Organizations should also consider implementing connection rate limiting and monitoring for unusual connection patterns that might indicate exploitation attempts. Network-level firewalls can be configured to restrict access to these specific binding endpoints to trusted networks only, reducing the attack surface. Additionally, system administrators should monitor thread pool utilization and implement proper resource limits to prevent complete service exhaustion in case of successful exploitation attempts. The fix addresses the underlying race condition in connection handling that allowed the premature EOF conditions to cause thread starvation rather than simply closing the connection gracefully.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!