Time-of-check Time-of-use (TOCTOU) Race Condition Affecting corewcf.netnamedpipe package, versions [1.4.0-preview1,1.8.1)[1.9.0, 1.9.1)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DOTNET-COREWCFNETNAMEDPIPE-17398212
- published22 Jun 2026
- disclosed19 Jun 2026
- creditUnknown
Introduced: 19 Jun 2026
NewCVE-2026-54777 (opens in a new tab)How to fix?
Upgrade CoreWCF.NetNamedPipe to version 1.8.1, 1.9.1 or higher.
Overview
CoreWCF.NetNamedPipe is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. The goal of this project is to enable existing WCF services to move to .NET Core.
Affected versions of this package are vulnerable to Time-of-check Time-of-use (TOCTOU) Race Condition via the NamedPipeListener startup path in CoreWCF.Channels. An attacker can force the listener to attach to an existing pipe instance and disrupt service startup by creating the published pipe name before the accept pump creates its first server pipe. The listener publishes its randomly chosen pipe name in shared memory before it creates the pipe instance, so any local process that can read that name can race to claim it first. When that happens, the service does not start cleanly and may connect to a foreign pipe namespace instead of its intended endpoint.
Notes
- Affects deployments where the named-pipe endpoint name is published into the shared-memory location that local clients use to discover it; the race only matters if another local process can read that published name before the server creates its first pipe instance.
- On collision, the listener can bind to an already-existing pipe instance instead of treating the name as unavailable, which can redirect the service startup path into a foreign pipe namespace rather than just failing to bind.