Microsoft ASP.NET
Moderate fix7 remedies
cpe:2.3:a:microsoft:asp.net:*:*:*:*:*:*:*
Moderate fix7 remedies
- >= 6.0.0, <= 6.0.36
- >= 8.0.0, <= 8.0.8
- >= 9.0.0-preview.1.24081.5, <= 9.0.0.RC.1
Microsoft ASP.NET Core Runtime Race Condition Vulnerability Leading to Remote Code Execution
Vulnerability
Patched
A use-after-free vulnerability has been identified in Microsoft ASP.NET Core Runtime versions 6.0.0 prior to 6.0.36, 8.0.0 prior to 8.0.8, and 9.0.0-preview.1.24081.5 prior to 9.0.0.RC.1. This vulnerability arises from a race condition when closing an HTTP/3 stream while the application is writing to the response body. The issue can be exploited, resulting in remote code execution. Additionally, self-contained applications deployed on any of the affected versions are vulnerable and need to be recompiled and redeployed.
Impact
Exploitation of this vulnerability leads to remote code execution on the server where the vulnerable ASP.NET application is running.
Remediation
Users can upgrade to ASP.NET Core Runtime versions 8.0.10 or 9.0.0.RC2. For applications using .NET 6.0, consider leveraging a commercial support partner like HeroDevs for post-EOL security support.
Added: Sep 8, 2025, 2:18 PM
Updated: Sep 8, 2025, 4:40 PM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
10.0exploitability
6.4remediation
7.7relevance
0.5threat
0.0urgency
2.9incentive
1.7Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.