Home

Description

CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. Prior to 1.8.1 and 1.9.1, CoreWCF UnixDomainSocket POSIX peer identity resolution uses non-reentrant getpwuid and getgrgid calls, allowing concurrent connections to attribute one connection's identity to another or crash the host process under contention. This issue is fixed in versions 1.8.1 and 1.9.1.

PUBLISHED Reserved 2026-06-15 | Published 2026-07-08 | Updated 2026-07-08 | Assigner GitHub_M




MEDIUM: 6.2CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H

Problem types

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-825: Expired Pointer Dereference

Product status

>= 1.9.0, < 1.9.1
affected

< 1.8.1
affected

References

github.com/...oreWCF/security/advisories/GHSA-q6v9-43v5-jv9q

github.com/...ommit/a3d95ea4627b818995e92c7def4c016164cacfce

github.com/...ommit/b0acb105589b455a095ea5ff49f5191e4eeff791

github.com/...ommit/b4867547c94bb088568935d581a55dda18a621e1

github.com/CoreWCF/CoreWCF/releases/tag/v1.8.1

github.com/CoreWCF/CoreWCF/releases/tag/v1.9.1

cve.org (CVE-2026-54778)

nvd.nist.gov (CVE-2026-54778)

Download JSON