Back to overview

CVE-2026-54777

MEDIUM
6.5
CVSS 3.1
Description
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF NetNamedPipe transport accepts attachment to a pre-existing named pipe instance, allowing local interception of NetNamedPipe traffic when an attacker races NamedPipeListener startup between shared memory GUID publication and service named pipe creation. This issue is fixed in versions 1.8.1 and 1.9.1.

Metadata

CVE ID
CVE-2026-54777
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-15 23:23 UTC
Published
2026-07-08 22:01 UTC
Last updated
2026-07-09 12:57 UTC
Primary CWE
CWE-367
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
Vendor / Product
CoreWCF / CoreWCF
Sources
cve.org  ·  NVD

Severity & Metrics

6.5 MEDIUM CVSS 3.1
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
total
Affected products (1)
VendorProductPlatformVersions
CoreWCF CoreWCF >= 1.9.0, < 1.9.1, < 1.8.1
Weakness (CWE)
CWESourceDescription
CWE-367 cna CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-665 cna CWE-665: Improper Initialization
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.5 MEDIUM 3.1 cna CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
References (5)
Back to overview