-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ##################################################### ## N C S C ~ B E V E I L I G I N G S A D V I E S ## ##################################################### Titel : Kwetsbaarheden verholpen in Microsoft Developer tools Advisory ID : NCSC-2026-0114 Versie : 1.00 Kans : medium CVE ID : CVE-2026-23653, CVE-2026-23666, CVE-2026-26143, CVE-2026-26171, CVE-2026-32178, CVE-2026-32203, CVE-2026-32226, CVE-2026-33116 (Details over de kwetsbaarheden kunt u vinden op de Mitre website: https://cve.mitre.org/cve/) Schade : high Improper Neutralization of Special Elements used in a Command ('Command Injection') Improper Handling of Exceptional Conditions Uncontrolled Resource Consumption Improper Restriction of XML External Entity Reference Improper Neutralization of Special Elements Stack-based Buffer Overflow Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Loop with Unreachable Exit Condition ('Infinite Loop') Improper Input Validation Uitgiftedatum : 20260414 Toepassing : Microsoft .NET 10.0 Microsoft .NET 10.0 installed on Linux Microsoft .NET 10.0 installed on Mac OS Microsoft .NET 10.0 installed on Windows Microsoft .NET 8.0 Microsoft .NET 8.0 installed on Linux Microsoft .NET 8.0 installed on Mac OS Microsoft .NET 8.0 installed on Windows Microsoft .NET 9.0 Microsoft .NET 9.0 installed on Linux Microsoft .NET 9.0 installed on Mac OS Microsoft .NET 9.0 installed on Windows Microsoft Microsoft .NET Framework 3.5 Microsoft Microsoft .NET Framework 3.5 AND 4.7.2 Microsoft Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems Microsoft Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for ARM64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8 Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for ARM64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for 32-bit Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for ARM64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 21H2 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for 32-bit Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for ARM64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 22H2 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation) Microsoft Microsoft .NET Framework 3.5 AND 4.8 on Windows Server, version 20H2 (Server Core Installation) Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for 32-bit Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for ARM64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 21H2 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for 32-bit Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for ARM64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 10 Version 22H2 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for ARM64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 22H2 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for ARM64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 23H2 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for ARM64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 24H2 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for ARM systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 25H2 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for ARM64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 Version 26H1 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows 11 version 26H1 for x64-based Systems Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022 (Server Core installation) Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2022, 23H2 Edition (Server Core installation) Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 Microsoft Microsoft .NET Framework 3.5 AND 4.8.1 on Windows Server 2025 (Server Core installation) Microsoft Microsoft .NET Framework 3.5 on Windows Server 2012 Microsoft Microsoft .NET Framework 3.5 on Windows Server 2012 (Server Core installation) Microsoft Microsoft .NET Framework 3.5 on Windows Server 2012 R2 Microsoft Microsoft .NET Framework 3.5 on Windows Server 2012 R2 (Server Core installation) Microsoft Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 Microsoft Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 Microsoft Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation) Microsoft Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 Microsoft Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation) Microsoft Microsoft .NET Framework 4.8 Microsoft Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems Microsoft Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems Microsoft Microsoft .NET Framework 4.8 on Windows Server 2012 Microsoft Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation) Microsoft Microsoft .NET Framework 4.8 on Windows Server 2012 R2 Microsoft Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation) Microsoft Microsoft Visual Studio 2022 version 17.12 Microsoft Microsoft Visual Studio 2022 version 17.14 Microsoft Microsoft Visual Studio Code CoPilot Chat Extension Microsoft PowerShell 7.4 Microsoft PowerShell 7.5 Versie(s) : Platform(s) : Beschrijving Microsoft heeft kwetsbaarheden verholpen in .NET, .NET Framework, Visual Studio en PowerShell. Een kwaadwillende kan de kwetsbaarheden misbruiken om aanvallen uit te voeren die kunnen leiden tot de volgende categorieën schade: - Denial-of-Service (DoS) - Toegang tot gevoelige gegevens - Omzeilen van een beveiligingsmaatregel - Spoofing ``` .NET, .NET Framework, Visual Studio: |----------------|------|-------------------------------------| | CVE-ID | CVSS | Impact | |----------------|------|-------------------------------------| | CVE-2026-33116 | 7,50 | Denial-of-Service | |----------------|------|-------------------------------------| Microsoft PowerShell: |----------------|------|-------------------------------------| | CVE-ID | CVSS | Impact | |----------------|------|-------------------------------------| | CVE-2026-26143 | 7,80 | Omzeilen van beveiligingsmaatregel | |----------------|------|-------------------------------------| GitHub Copilot and Visual Studio Code: |----------------|------|-------------------------------------| | CVE-ID | CVSS | Impact | |----------------|------|-------------------------------------| | CVE-2026-23653 | 5,70 | Toegang tot gevoelige gegevens | |----------------|------|-------------------------------------| .NET and Visual Studio: |----------------|------|-------------------------------------| | CVE-ID | CVSS | Impact | |----------------|------|-------------------------------------| | CVE-2026-32203 | 7,50 | Denial-of-Service | |----------------|------|-------------------------------------| .NET Framework: |----------------|------|-------------------------------------| | CVE-ID | CVSS | Impact | |----------------|------|-------------------------------------| | CVE-2026-32226 | 5,90 | Denial-of-Service | | CVE-2026-23666 | 7,50 | Denial-of-Service | |----------------|------|-------------------------------------| .NET: |----------------|------|-------------------------------------| | CVE-ID | CVSS | Impact | |----------------|------|-------------------------------------| | CVE-2026-32178 | 7,50 | Voordoen als andere gebruiker | | CVE-2026-26171 | 7,50 | Denial-of-Service | |----------------|------|-------------------------------------| ``` Mogelijke oplossingen Microsoft heeft updates beschikbaar gesteld waarmee de beschreven kwetsbaarheden worden verholpen. We raden u aan om deze updates te installeren. Meer informatie over de kwetsbaarheden, de installatie van de updates en eventuele work-arounds vindt u op: https://portal.msrc.microsoft.com/en-us/security-guidance Referenties: Vrijwaringsverklaring Door gebruik van deze security advisory gaat u akkoord met de navolgende voorwaarden. Ondanks dat het NCSC de grootst mogelijke zorg heeft betracht bij de samenstelling van dit beveiligingsadvies, kan het NCSC niet instaan voor de volledigheid, juistheid of (voortdurende) actualiteit van dit beveiligingsadvies. De informatie in dit beveiligingsadvies is uitsluitend bedoeld als algemene informatie voor professionele partijen. Aan de informatie in dit beveiligingsadvies kunnen geen rechten worden ontleend. Het NCSC en de Staat zijn niet aansprakelijk voor enige schade ten gevolge van het gebruik of de onmogelijkheid van het gebruik van dit beveiligingsadvies, waaronder begrepen schade ten gevolge van de onjuistheid of onvolledigheid van de informatie in dit beveiligingsadvies. Op dit beveiligingsadvies is Nederlands recht van toepassing. Alle geschillen in verband met en/of voortvloeiend uit dit beveiligingsadvies zullen worden voorgelegd aan de exclusief bevoegde rechter te Den Haag. Deze rechtskeuze geldt tevens voor de voorzieningenrechter in kort geding. -----BEGIN PGP SIGNATURE----- iQGzBAEBCgAdFiEEGSwziqblmmRNtImqgupWoL0ZhGEFAmnek8gACgkQgupWoL0Z hGFebQwApXj/BBV0lTz65/ZQHqP27mEDyvxqxF0mT1QHKU9DAa7SR6Ovo8KoGRDW feMtaBykPXdK/j/HqozdLr2LwKnYRePaG+yO4Q+XrMoI+DfcqTETrxJmWju45U99 T3qj/hSC2gyKWrM/6M9rrWvG483qscRBzazD5mihBLFMlPgiVUMstRkW1dPZQghn b+34ncxrR7JzKOw1uHoi87lpgiRPdsag4ba/TnFyHADk/2QRPh4KjEA39rreofy6 f2wy1kM+oHrDKb0Rc+8vvUccWT/at4QQWXWLdjf7o4v57zC9C9HWdVmW8fpfhGan bf7HpraQaXlIzCVX0bWjr/QX5EmoYKfCNkvE1JlieAycoAVVVnnYsu+Cfl57W+Ce MAtkQqCk+r+IaQMhD0TkgD9SbQkKHPqM9Z7zYlYYgBgHaqlyTOHgeCP5pyV3yW5b cnUhkK4/0zQAptis5Y3OOFFGHl+1BMqYWZefEnztLdKIzfqLjp8PNpLWSP0AO81m 5S6ciI0p =MAap -----END PGP SIGNATURE-----