📄 ASP.net 8.0.10 Core Kestrel HTTP Request Smuggling

This Metasploit auxiliary module targets a critical HTTP request smuggling vulnerability in ASP.NET Core Kestrel caused by improper parsing of malformed chunked transfer encoding notably LF-only line handling and case-variant headers like chUnKEd...

PT-2026-26328

Name of the Vulnerable Software and Affected Versions ASP.NET Core versions prior to 8.0.22 ASP.NET Core versions prior to 9.0.11 Description A remote attacker can cause excessive CPU consumption by sending a crafted QUIC packet. This is due to an incorrect exit condition for HTTP/3 Encoder/Decod...

MiracleLinux 9 : dotnet6.0-6.0.124-1.el9.ML.1 (AXSA:2023-6561:26)

The remote MiracleLinux 9 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2023-6561:26 advisory. dotnet: Denial of Service with Client Certificates using .NET Kestrel CVE-2023-36799 Tenable has extracted the preceding description block directly from the...

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 requests in the Kestrel server. An attacker can execute arbitrary code by sending specially crafted HTTP/3 requests that exploit the data corruption issue. Remediation Upgrade...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.osx-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 requests ...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.win-arm64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 request...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.win-x86 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 requests ...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.win-arm is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 requests ...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.linux-musl-arm64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.linux-musl-arm is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3...

Use After Free

Overview Microsoft.AspNetCore.App.Runtime.linux-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Use After Free through the handling of HTTP/3 request...

Race Condition

Overview Microsoft.AspNetCore.App.Runtime.win-x86 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Race Condition through the...

dotnet: Denial of Service with Client Certificates using .NET Kestrel

A vulnerability was found in dotnet. This issue can lead to a denial of service when processing X.509 certificates...

USN-6438-2 .Net regressions

USN-6438-1 fixed vulnerabilities in .Net. It was discovered that the fix for CVE-2023-36799 was incomplete. This update fixes the problem. Original advisory details: Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to...

USN-6438-1 dotnet6, dotnet7 vulnerabilities

Kevin Jones discovered that .NET did not properly process certain X.509 certificates. An attacker could possibly use this issue to cause a denial of service. CVE-2023-36799 It was discovered that the .NET Kestrel web server did not properly handle HTTP/2 requests. A remote attacker could possibly...

dotnet: Denial of Service with Client Certificates using .NET Kestrel

A vulnerability was found in dotnet. This issue can lead to a denial of service when processing X.509 certificates...

dotnet: Denial of Service with Client Certificates using .NET Kestrel

A vulnerability was found in dotnet. This issue can lead to a denial of service when processing X.509 certificates...

USN-6278-1: .NET vulnerabilities

It was discovered that .NET did not properly handle the execution of certain commands. An attacker could possibly use this issue to achieve remote code execution. CVE-2023-35390 Benoit Foucher discovered that .NET did not properly implement the QUIC stream limit in HTTP/3. An attacker could...

Denial of Service (DoS)

Overview Microsoft.AspNetCore.App.Runtime.win-x64 is a package providing a default set of APIs for building an ASP.NET Core application. Contains assets used for self-contained deployments. Affected versions of this package are vulnerable to Denial of Service DoS in .NET Kestrel where a malicious...

Denial of Service (DoS)

Overview Affected versions of this package are vulnerable to Denial of Service DoS in Kestrel where, on detecting a potentially malicious client, Kestrel will sometimes fail to disconnect it, resulting in exploitation of this vulnerability. Mitigation If your application is running behind a rever...