Microsoft .NET Kestrel Excessive CPU Consumption Vulnerability via Crafted QUIC Packets
Vulnerability
A denial-of-service vulnerability has been identified in ASP.NET Core Kestrel, affecting Microsoft .NET versions 8.0 prior to 8.0.22 and 9.0 prior to 9.0.11. The issue allows remote attackers to cause significant CPU usage by sending specially crafted QUIC packets. This is due to an incorrect exit condition in the HTTP/3 encoder and decoder stream processing, which can lead to server paralysis.
Impact
Exploitation of this vulnerability causes 100% CPU usage on the server, making it unavailable to handle requests from benign clients.
Reproduction
To reproduce this vulnerability, establish a QUIC connection with the Kestrel server. Once the connection is active, send a QUIC 'STREAM' frame with the 'finish' bit set to '1' and an empty payload of Qpack encoder data. This single malicious request will spike CPU usage to 100%. Repeating this process, such as sending one request per second, will keep the server in a state of high CPU usage, causing it to become unresponsive.
Remediation
Users can upgrade to .NET 8.0.22 or .NET 9.0.11, where this vulnerability has been fixed.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.