CVE-2026-54775 in CoreWCFinfo

Summary

by MITRE • 07/09/2026

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, a CoreWCF service listening on a Kafka topic stops processing new records from that topic when KafkaTransportPump receives a null-value tombstone record, causing a persistent endpoint denial of service for attackers with produce permission. This issue is fixed in versions 1.8.1 and 1.9.1.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The vulnerability affects CoreWCF services that utilize Kafka as a transport mechanism, specifically when these services listen on Kafka topics for incoming messages. This represents a significant operational risk as the service becomes unresponsive to legitimate traffic while remaining otherwise functional. The flaw manifests when the KafkaTransportPump component encounters a tombstone record with a null value, causing the entire processing pipeline to halt indefinitely.

This vulnerability constitutes a denial of service condition that directly impacts the availability of the affected service endpoints. The issue occurs because the KafkaTransportPump implementation lacks proper handling for tombstone records in its message processing loop. When a null-value tombstone record is received, the pump enters an unrecoverable state where it ceases to process any additional records from the topic. This behavior creates a persistent denial of service condition that persists until the service is manually restarted or the problematic topic is reconfigured.

The technical root cause lies in the absence of proper null value validation within the Kafka transport pump's message consumption logic. According to CWE-457, this represents a use of uninitialized or improperly handled data, specifically when the system fails to account for tombstone records that are legitimate but contain null values. The vulnerability demonstrates poor error handling practices where the system does not gracefully handle edge cases in the message stream, leading to complete service paralysis rather than simply dropping problematic messages.

From an operational perspective, this vulnerability creates a particularly dangerous scenario for attackers who possess produce permissions on the affected Kafka topics. These malicious actors can easily trigger the denial of service by simply publishing a tombstone record with a null value to the topic being monitored by the CoreWCF service. The attack requires minimal privileges and provides maximum impact, making it an attractive vector for service disruption attacks.

The mitigation strategy involves upgrading to CoreWCF versions 1.8.1 or 1.9.1 where the issue has been resolved through improved error handling in the KafkaTransportPump component. Organizations should also implement monitoring solutions that can detect unusual patterns in topic consumption and alert on potential tombstone record processing issues. Additionally, network segmentation and access control measures should be implemented to limit which entities can produce to critical service topics.

This vulnerability aligns with ATT&CK technique T1499.004 for network denial of service attacks, specifically targeting the availability aspect of the service. The attack vector demonstrates how seemingly benign Kafka features like tombstone records can be weaponized to create persistent service disruption conditions. Security teams should also consider implementing defensive measures such as message filtering at the topic level or additional validation layers before messages reach the CoreWCF transport pump components.

The fix implemented in versions 1.8.1 and 1.9.1 addresses the core issue by adding proper null value handling to the KafkaTransportPump logic, ensuring that tombstone records with null values do not cause the processing loop to terminate. This represents a critical improvement in system resilience and demonstrates the importance of comprehensive error handling in distributed messaging systems where external inputs can potentially cause service-wide failures. Organizations should prioritize this upgrade across all affected CoreWCF deployments to prevent exploitation of this persistent denial of service vulnerability.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!