.NET vulnerabilities: known CVEs & security history
Microsoft · Web / Runtime · 87 tracked CVEs · 2 actively exploited · updated June 2026 · what is a CVE? →
This is the full list of known vulnerabilities (CVEs) across all .NET release lines — 87 in total, with 2 actively exploited in the wild. A CVE here doesn't mean your version is affected — check .NET's current status and the safe version to run.
Known .NET CVEs
Actively-exploited and most-severe first. Showing the top 80 of 87. Open any CVE for full details.
| CVE | Severity | CVSS | EPSS | Year |
|---|---|---|---|---|
| CVE-2023-44487⚡ exploited | high | 7.5 | 100% | 2023 |
| CVE-2023-38180⚡ exploited | high | 7.5 | 16% | 2023 |
| CVE-2024-43498 | critical | 9.8 | 4% | 2024 |
| CVE-2024-0057 | critical | 9.1 | 3% | 2024 |
| CVE-2025-21176 | high | 8.8 | 2% | 2025 |
| CVE-2024-0056 | high | 8.7 | 1% | 2024 |
| CVE-2023-36038 | high | 8.2 | 3% | 2023 |
| CVE-2024-38229 | high | 8.1 | 2% | 2024 |
| CVE-2024-35264 | high | 8.1 | 3% | 2024 |
| CVE-2023-33170 | high | 8.1 | 2% | 2023 |
| CVE-2023-33127 | high | 8.1 | 2% | 2023 |
| CVE-2021-26701 | high | 8.1 | 30% | 2021 |
| CVE-2021-24112 | high | 8.1 | 3% | 2021 |
| CVE-2025-26646 | high | 8 | 1% | 2025 |
| CVE-2026-45490 | high | 7.8 | 0% | 2026 |
| CVE-2026-26131 | high | 7.8 | 0% | 2026 |
| CVE-2023-36796 | high | 7.8 | 1% | 2023 |
| CVE-2023-36794 | high | 7.8 | 1% | 2023 |
| CVE-2023-36793 | high | 7.8 | 1% | 2023 |
| CVE-2023-36792 | high | 7.8 | 1% | 2023 |
| CVE-2023-35390 | high | 7.8 | 2% | 2023 |
| CVE-2023-24897 | high | 7.8 | 1% | 2023 |
| CVE-2023-24895 | high | 7.8 | 1% | 2023 |
| CVE-2023-28260 | high | 7.8 | 2% | 2023 |
| CVE-2023-21808 | high | 7.8 | 1% | 2023 |
| CVE-2022-41032 | high | 7.8 | 1% | 2022 |
| CVE-2023-36049 | high | 7.6 | 13% | 2023 |
| CVE-2026-42899 | high | 7.5 | 1% | 2026 |
| CVE-2026-33116 | high | 7.5 | 1% | 2026 |
| CVE-2026-32203 | high | 7.5 | 1% | 2026 |
| CVE-2026-32178 | high | 7.5 | 1% | 2026 |
| CVE-2026-26171 | high | 7.5 | 1% | 2026 |
| CVE-2026-25667 | high | 7.5 | 3% | 2026 |
| CVE-2026-26127 | high | 7.5 | 2% | 2026 |
| CVE-2026-21218 | high | 7.5 | 1% | 2026 |
| CVE-2025-30399 | high | 7.5 | 1% | 2025 |
| CVE-2025-21172 | high | 7.5 | 2% | 2025 |
| CVE-2025-21171 | high | 7.5 | 2% | 2025 |
| CVE-2024-43499 | high | 7.5 | 3% | 2024 |
| CVE-2024-43485 | high | 7.5 | 3% | 2024 |
| CVE-2024-43484 | high | 7.5 | 3% | 2024 |
| CVE-2024-43483 | high | 7.5 | 3% | 2024 |
| CVE-2024-38168 | high | 7.5 | 3% | 2024 |
| CVE-2024-38095 | high | 7.5 | 3% | 2024 |
| CVE-2024-30105 | high | 7.5 | 3% | 2024 |
| CVE-2024-26190 | high | 7.5 | 3% | 2024 |
| CVE-2024-21392 | high | 7.5 | 3% | 2024 |
| CVE-2024-20672 | high | 7.5 | 3% | 2024 |
| CVE-2023-38171 | high | 7.5 | 69% | 2023 |
| CVE-2023-36435 | high | 7.5 | 5% | 2023 |
| CVE-2023-38178 | high | 7.5 | 3% | 2023 |
| CVE-2023-29331 | high | 7.5 | 3% | 2023 |
| CVE-2023-24936 | high | 7.5 | 2% | 2023 |
| CVE-2023-21538 | high | 7.5 | 3% | 2023 |
| CVE-2022-38013 | high | 7.5 | 3% | 2022 |
| CVE-2022-29145 | high | 7.5 | 5% | 2022 |
| CVE-2022-29117 | high | 7.5 | 5% | 2022 |
| CVE-2022-23267 | high | 7.5 | 5% | 2022 |
| CVE-2022-24464 | high | 7.5 | 3% | 2022 |
| CVE-2022-21986 | high | 7.5 | 3% | 2022 |
| CVE-2021-26423 | high | 7.5 | 4% | 2021 |
| CVE-2020-1108 | high | 7.5 | 12% | 2020 |
| CVE-2025-55247 | high | 7.3 | 1% | 2025 |
| CVE-2025-21173 | high | 7.3 | 1% | 2025 |
| CVE-2024-38081 | high | 7.3 | 1% | 2024 |
| CVE-2024-21409 | high | 7.3 | 3% | 2024 |
| CVE-2023-33135 | high | 7.3 | 1% | 2023 |
| CVE-2023-33128 | high | 7.3 | 1% | 2023 |
| CVE-2023-33126 | high | 7.3 | 1% | 2023 |
| CVE-2021-31204 | high | 7.3 | 1% | 2021 |
| CVE-2024-21319 | medium | 6.8 | 3% | 2024 |
| CVE-2024-38167 | medium | 6.5 | 1% | 2024 |
| CVE-2023-36799 | medium | 6.5 | 5% | 2023 |
| CVE-2023-32032 | medium | 6.5 | 1% | 2023 |
| CVE-2021-1721 | medium | 6.5 | 3% | 2021 |
| CVE-2024-30045 | medium | 6.3 | 1% | 2024 |
| CVE-2022-24512 | medium | 6.3 | 2% | 2022 |
| CVE-2023-36558 | medium | 6.2 | 1% | 2023 |
| CVE-2023-35391 | medium | 6.2 | 2% | 2023 |
| CVE-2024-30046 | medium | 5.9 | 2% | 2024 |
7 older / lower-severity CVEs not shown — see .NET's full record.
Is my .NET version affected?
The list above spans every release. To know whether your version is affected — and the minimum safe version to upgrade to — check it directly.
Check your .NET version → · Monitor .NET for new CVEs →
.NET vulnerabilities — frequently asked
How many known vulnerabilities does .NET have?
IsItPatched tracks 87 CVEs for .NET, 2 of which are actively exploited (CISA KEV). 2 are critical-severity and 68 high-severity. These span every release line — what matters is whether the version you run is affected.
Does .NET have any actively-exploited vulnerabilities?
Yes — 2 .NET CVEs are in CISA's Known Exploited Vulnerabilities catalog, meaning they are confirmed exploited in the wild. Patch these as a priority.
What is the most severe .NET vulnerability?
Among tracked issues, CVE-2023-44487 (HIGH, CVSS 7.5), which is actively exploited, ranks highest — a Uncontrolled resource consumption weakness.
Is .NET safe to use?
It depends on the version. The latest supported .NET release (10.0.9) clears the known issues; older versions may still be affected. Check the exact version you run for a verdict.
CVE data aggregated from NVD, CISA KEV and EPSS (FIRST.org). Related: .NET security status · .NET end-of-life · actively-exploited CVEs. Always verify against Microsoft's advisories — see our disclaimer.