📄 ASP.net 8.0.10 Core Kestrel HTTP Request Smuggling

This Metasploit auxiliary module targets a critical HTTP request smuggling vulnerability in ASP.NET Core Kestrel caused by improper parsing of malformed chunked transfer encoding notably LF-only line handling and case-variant headers like chUnKEd...

PT-2026-26328

Name of the Vulnerable Software and Affected Versions ASP.NET Core versions prior to 8.0.22 ASP.NET Core versions prior to 9.0.11 Description A remote attacker can cause excessive CPU consumption by sending a crafted QUIC packet. This is due to an incorrect exit condition for HTTP/3 Encoder/Decod...

MiracleLinux 9 : dotnet6.0-6.0.124-1.el9.ML.1 (AXSA:2023-6561:26)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6561:26 advisory. dotnet: Denial of Service with Client Certificates using .NET Kestrel CVE-2023-36799 Tenable has extracted the preceding description block directly from the...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.win-arm is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 requests ...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.linux-musl-arm is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.win-x86 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 requests ...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.osx-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 requests ...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.linux-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 request...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.win-arm64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 request...

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 requests in the Kestrel server. An attacker can execute arbitrary code by sending specially crafted HTTP/3 requests that exploit the data corruption issue. Remediation Upgrade...

Race Condition

Overview Microsoft.AspNetCore.App.Runtime.win-x86 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Race Condition through the...

dotnet: Denial of Service with Client Certificates using .NET Kestrel

A vulnerability was found in dotnet. This issue can lead to a denial of service when processing X.509 certificates...

USN-6438-2 .Net regressions

USN-6438-1 fixed vulnerabilities in .Net. It was discovered that the fix for CVE-2023-36799 was incomplete. This update fixes the problem. Original advisory details: Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to...

USN-6438-1 dotnet6, dotnet7 vulnerabilities

Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service. CVE-2023-36799 It was discovered that the .NET Kestrel web server did not properly handle HTTP/2 requests. A remote attacker could possibly...

dotnet: Denial of Service with Client Certificates using .NET Kestrel

A vulnerability was found in dotnet. This issue can lead to a denial of service when processing X.509 certificates...

dotnet: Denial of Service with Client Certificates using .NET Kestrel

A vulnerability was found in dotnet. This issue can lead to a denial of service when processing X.509 certificates...

USN-6278-1: .NET vulnerabilities

It was discovered that .NET did not properly handle the execution of certain commands. An attacker could possibly use this issue to achieve remote code execution. CVE-2023-35390 Benoit Foucher discovered that .NET did not properly implement the QUIC stream limit in HTTP/3. An attacker could...

Denial of Service (DoS)

Overview Microsoft.AspNetCore.App.Runtime.win-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Denial of Service DoS in .NET Kestrel where a malicious...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS in Kestrel where, on detecting a potentially malicious client, Kestrel will sometimes fail to disconnect it, resulting in exploitation of this vulnerability. Mitigation If your application is running behind a rever...