Microsoft .NET Security Alert: High-Severity DoS Vulnerability (CVE-2026-33116) in System.Security.Cryptography.Xml

Microsoft has disclosed a high-severity denial-of-service vulnerability, tracked as CVE-2026-33116, within a core cryptographic component of the .NET ecosystem. The flaw resides in the `System.Security.Cryptography.Xml` namespace, specifically within the `EncryptedXml` class. An unauthenticated remote attacker could exploit this weakness to trigger an infinite loop, causing affected applications to become unresponsive and leading to a denial of service. The vulnerability carries a CVSS v3.1 base score of 7.5, rated as High severity, with a vector indicating network-based attacks require no privileges or user interaction.

The vulnerability stems from an improper input validation issue (CWE-20) that leads to an unreachable exit condition in a loop (CWE-835), resulting in uncontrolled resource consumption (CWE-400). It affects all platforms and architectures running vulnerable versions of Microsoft .NET, .NET Framework, and Visual Studio. Any project utilizing the affected `System.Security.Cryptography.Xml` component for processing XML encryption is potentially exposed. Microsoft has released a security advisory with guidance for developers to update their applications and remove the vulnerability.

The public disclosure on a GitHub issue page signals active community scrutiny and the need for rapid patching across a vast software supply chain. Given the ubiquity of .NET in enterprise applications, web services, and internal tools, this vulnerability presents a widespread availability risk. Organizations and developers must apply the provided security updates to mitigate the threat of service disruption from targeted or opportunistic attacks exploiting this cryptographic parsing flaw.