highCVE-2026-54772

CoreWCF Net Framing Premature EOF CPU Denial of Service Vulnerability

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, an unauthenticated remote attacker that can reach a NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding endpoint can trigger premature EOF handling in the CoreWCF net.tcp, net.pipe, or net.uds framing handshake and pin one server thread-pool worker at full CPU per connection. This issue is fixed in versions 1.8.1 and 1.9.1.

ProductCoreWCF
CVSS7.5
EPSS0.00476
UpdatedJuly 10, 2026

Quick answer

CoreWCF Project CoreWCF should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.

Who is affected

Affected versions

  • CoreWCF before 1.8.1
  • CoreWCF 1.9.0 before 1.9.1

Fixed versions

  • 1.8.1
  • 1.9.1

How to fix it

CoreWCF before 1.8.1 and 1.9.1 can consume CPU on net.tcp, net.pipe, or Unix Domain Socket framing handshakes after premature EOF handling. Update CoreWCF and add connection limits around affected endpoints.

  1. Inventory CoreWCF services exposing NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding endpoints.
  2. Upgrade all CoreWCF packages to 1.8.1, 1.9.1, or later.
  3. Place network-exposed net.tcp endpoints behind trusted network controls or application gateways.
  4. Apply connection rate limits, idle timeouts, and process supervision for affected services.
  5. Monitor CPU, thread-pool exhaustion, connection counts, and service restarts during rollout.
  6. Review logs for repeated incomplete framing handshakes or premature EOF patterns.
  7. Restart services after patching and confirm old assemblies are no longer loaded.

Scan now. Google sign-in is only needed to unlock fix guidance.

Verify the fix

  • Confirm patched CoreWCF packages are deployed.
  • Run a safe malformed handshake test and confirm it does not pin CPU.
  • Verify connection limits and timeouts are active.
  • Review CPU and thread-pool metrics after deployment.
  • Run a Fixnx scan and confirm no unintended CoreWCF endpoints are public.

Related categories

Trusted references

FAQ

What is affected by CVE-2026-54772?

CoreWCF Project CoreWCF versions listed as affected should be reviewed: CoreWCF before 1.8.1, CoreWCF 1.9.0 before 1.9.1.

What should I fix first?

Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.

How do I confirm the fix worked?

Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.

Why can this risk appear in multiple categories?

A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.