Summary
CVE-2026-50528 is a Security Feature Bypass vulnerability (CWE-863: Incorrect Authorization) in the SslStream TLS/SSL implementation of Microsoft .NET, affecting .NET 8, .NET 9, and .NET 10. An unauthenticated remote attacker can exploit this flaw to bypass authorization checks performed during encrypted TLS communications, resulting in a high integrity impact. With a CVSS v3.1 base score of 8.2 (High), this vulnerability was patched by Microsoft on July 14, 2026 as part of the July 2026 Patch Tuesday release.
Technical details
- Root cause: Incorrect authorization handling in the
SslStreamimplementation (System.Net.Security) allows authorization logic to be bypassed during TLS/SSL connection processing. - Trigger conditions: The vulnerability can be triggered remotely by an unauthenticated attacker over the network with no user interaction required (AV:N/AC:L/PR:N/UI:N).
- Attack vector: Network-accessible; targets any internet-facing application built on vulnerable .NET runtime versions that processes TLS connections via
SslStream. - Impact: An attacker who successfully exploits this vulnerability can bypass security authorization controls, leading to unauthorized modification or access to data (Integrity: High, Confidentiality: Low, Availability: None). Self-contained deployments must be recompiled and redeployed against a patched runtime to be fully remediated.
Affected software
- .NET 8.0: versions 8.0.0 through 8.0.28
- .NET 9.0: versions 9.0.0 through 9.0.17
- .NET 10.0: versions 10.0.0 through 10.0.9
- Visual Studio 2022 and Visual Studio 2026: versions bundling the above affected .NET runtimes
Severity
CVSS v3.1 Base Score: 8.2 (High)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
Mitigation and recommended actions
- Immediate – apply patches: Upgrade to the following fixed .NET runtime versions released July 14, 2026:
- .NET 8.0 → 8.0.29
- .NET 9.0 → 9.0.18
- .NET 10.0 → 10.0.10
- Applications using framework-dependent deployments should update their .NET runtime installation and restart affected services.
- Applications built as self-contained deployments must be recompiled against the patched SDK and redeployed.
- Visual Studio users should apply the corresponding Visual Studio 2022 / 2026 updates that bundle the fixed .NET SDK versions.
- No workarounds have been published by Microsoft; patching is the only confirmed remediation.
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

