High

.NET Windows Desktop Runtime Local Elevation of Privilege

IdentifiersCVE-2026-35433CWE-20· Improper Input Validation

CVE-2026-35433 is a local elevation-of-privilege vulnerability in .NET affecting Windows Desktop runtime packages on Windows, including .NET 8.0, 9.0, and 10.0. The provided content attributes the flaw to improper input validation, with integer overflow or wraparound also referenced as an associated weakness. One description also characterizes the issue as a heap-based buffer overflow. Successful exploitation requires a user to trigger the payload in the vulnerable application, after which attacker-controlled code executes within the compromised process space. The resulting privileges are those of the victim process; if that process is running elevated, as a service, or under an administrative context, exploitation can yield Administrator or NT AUTHORITY\SYSTEM-level execution.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local, unauthorized attacker to elevate privileges and execute within the security context of the vulnerable application. In a standard user context, this can enable arbitrary code execution as that user, access to sensitive user data, persistence, and modification of user-accessible resources, but not immediate full-system compromise. Where the vulnerable application runs with elevated rights, as an administrative tool, via UAC elevation, or as a service, exploitation can result in Administrator or SYSTEM privileges. In that scenario, the attacker can achieve high confidentiality and integrity impact, low availability impact, tamper with security controls, make permanent system changes, and potentially fully compromise the host.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by limiting execution of vulnerable .NET Windows Desktop applications to trusted local users, avoiding operation of affected applications with elevated privileges unless strictly necessary, and restricting use of administrative tools or services built on affected runtimes. Prioritize patching systems where vulnerable applications run as services, under UAC elevation, or with administrative rights. Ensure only supported .NET runtime and SDK versions are installed, and redeploy self-contained applications after rebuilding against fixed versions.

Remediation

Patch, then assume compromise.

Apply Microsoft's official security updates for affected .NET versions. The provided advisory content specifies upgrading Windows Desktop runtime packages to the patched releases: Microsoft.WindowsDesktop.App.Runtime.win-arm64/win-x64/win-x86 version 8.0.27 for .NET 8, 9.0.16 for .NET 9, and 10.0.8 for .NET 10. Update installed .NET runtimes and SDKs, update Visual Studio where applicable so bundled SDKs are refreshed, and update any direct package references to the fixed versions. For self-contained deployments, recompile and redeploy the application against the patched runtime. Restart affected applications after updating.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Microsoft CorporationNetapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cvereportsNews

May 18, 2026

CVE-2026-35433: CVE-2026-35433: Heap-Based Buffer Overflow and Privilege Escalation in .NET Desktop Runtime | CVEReports

A vulnerability that enables arbitrary code execution within the context of the affected application process, with impact ranging from local code execution as the current user to full Administrator or NT AUTHORITY\SYSTEM compromise if the vulnerable application runs elevated.

msrc microsoftNews

May 12, 2026

CVE-2026-35433 - Security Update Guide - Microsoft - .NET Elevation of Privilege Vulnerability

An important .NET elevation of privilege vulnerability caused by improper input validation and integer overflow/wraparound issues, allowing a local unauthorized attacker to gain elevated privileges, potentially up to SYSTEM, with user interaction required.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity4

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-35433

NVD

nvd.nist.gov/vuln/detail/CVE-2026-35433

MITRE CWE · CWE-20

Improper Input Validation

msrc.microsoft.com

msrc.microsoft.com/update-guide/vulnerability/CVE-2026-35433