16 results (0.006 seconds)

CVSS: 7.6EPSS: 0%CPEs: 6EXPL: 0

11 Jun 2025 — Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network. A remote code execution vulnerability in .NET 8.0 and 9.0. An attacker who can place malicious files in specific locations may trigger unintended code execution when the .NET runtime loads these files. It was discovered that .NET did not properly validate search path in Microsoft.NETCore.App.Runtime. An attacker could possibly use this issue to execute arbitrary code. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30399 • CWE-426: Untrusted Search Path CWE-427: Uncontrolled Search Path Element •

CVSS: 9.0EPSS: 0%CPEs: 6EXPL: 0

13 May 2025 — External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network. A flaw was found in .NET and Visual Studio. This vulnerability allows an attacker to use specially crafted input to spoof trusted content or identities, potentially misleading users or systems. This issue requires user interaction and limited privileges but can lead to unauthorized actions or escalation due to incorrect identity or content validati... • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26646 • CWE-73: External Control of File Name or Path CWE-290: Authentication Bypass by Spoofing •

CVSS: 7.6EPSS: 0%CPEs: 9EXPL: 0

14 Jan 2025 — .NET and Visual Studio Remote Code Execution Vulnerability A remote code execution vulnerability was found in .NET. This flaw allows an attacker to load a specially crafted file in .NET. It was discovered that .NET did not properly handle input provided to its Convert.TryToHexString method. An attacker could possibly use this issue to execute arbitrary code. It was discovered that .NET did not properly handle an integer overflow when processing certain specially crafted files. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21172 • CWE-122: Heap-based Buffer Overflow CWE-190: Integer Overflow or Wraparound •

CVSS: 7.3EPSS: 1%CPEs: 6EXPL: 0

14 Jan 2025 — .NET Elevation of Privilege Vulnerability An elevation of privilege vulnerability was found in .NET. This flaw allows an attacker to write a specially crafted file in the security context of the local system. It was discovered that .NET did not properly handle input provided to its Convert.TryToHexString method. An attacker could possibly use this issue to execute arbitrary code. It was discovered that .NET did not properly handle an integer overflow when processing certain specially crafted files. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21173 • CWE-379: Creation of Temporary File in Directory with Insecure Permissions •

CVSS: 10.0EPSS: 0%CPEs: 17EXPL: 0

14 Jan 2025 — .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability A remote code execution vulnerability was found in .NET. This flaw allows an attacker to load a specially crafted file in .NET. It was discovered that .NET did not properly handle input provided to its Convert.TryToHexString method. An attacker could possibly use this issue to execute arbitrary code. It was discovered that .NET did not properly handle an integer overflow when processing certain specially crafted files. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21176 • CWE-126: Buffer Over-read •

CVSS: 7.8EPSS: 0%CPEs: 9EXPL: 0

08 Oct 2024 — .NET and Visual Studio Denial of Service Vulnerability A flaw was found in dotnet. In System.Text.Json, applications that deserialize input to a model with an [ExtensionData] property can be vulnerable to an algorithmic complexity attack, resulting in a denial of service. Brennan Conroy discovered that the .NET Kestrel web server did not properly handle closing HTTP/3 streams under certain circumstances. An attacker could possibly use this issue to achieve remote code execution. This vulnerability only impa... • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43485 • CWE-407: Inefficient Algorithmic Complexity •

CVSS: 7.8EPSS: 0%CPEs: 19EXPL: 0

08 Oct 2024 — .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability A flaw was found in dotnet. The System.IO.Packaging library may allow untrusted inputs to influence algorithmically complex operations, resulting in a denial of service. Brennan Conroy discovered that the .NET Kestrel web server did not properly handle closing HTTP/3 streams under certain circumstances. An attacker could possibly use this issue to achieve remote code execution. This vulnerability only impacted Ubuntu 22.04 LTS and Ubunt... • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43484 • CWE-407: Inefficient Algorithmic Complexity CWE-789: Memory Allocation with Excessive Size Value •

CVSS: 7.8EPSS: 0%CPEs: 19EXPL: 0

08 Oct 2024 — .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability A flaw was found in dotnet. The System.Security.Cryptography.Cose, System.IO.Packaging and System.Runtime.Caching components may be exposed to hostile input, making them susceptible to hash flooding attacks, resulting in denial of service. Brennan Conroy discovered that the .NET Kestrel web server did not properly handle closing HTTP/3 streams under certain circumstances. An attacker could possibly use this issue to achieve remote code ... • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43483 • CWE-407: Inefficient Algorithmic Complexity •

CVSS: 8.1EPSS: 0%CPEs: 5EXPL: 0

08 Oct 2024 — .NET and Visual Studio Remote Code Execution Vulnerability A flaw was found in dotnet. When closing an HTTP/3 stream while application code is writing to the response body, a race condition can cause a use-after-free. Brennan Conroy discovered that the .NET Kestrel web server did not properly handle closing HTTP/3 streams under certain circumstances. An attacker could possibly use this issue to achieve remote code execution. This vulnerability only impacted Ubuntu 22.04 LTS and Ubuntu 24.04 LTS. • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38229 • CWE-416: Use After Free •

CVSS: 7.8EPSS: 1%CPEs: 4EXPL: 0

13 Aug 2024 — .NET and Visual Studio Denial of Service Vulnerability • https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38168 • CWE-400: Uncontrolled Resource Consumption •