Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
ASP.NET Core can be crashed by a specially crafted internet packet
CVE-2026-25667
BIT-dotnet-sdk-2026-25667
Summary
An attacker can send a malicious packet to a server running ASP.NET Core, causing it to consume excessive CPU resources. This can happen in versions of ASP.NET Core running on .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11. To avoid this, update to the latest version of the software.
What to do
- Update dotnet to version 9.0.11.
- Update dotnet-sdk to version 9.0.11.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Bitnami | – | dotnet |
>= 9.0.0, < 9.0.11 Fix: upgrade to 9.0.11
|
| Bitnami | – | dotnet-sdk |
>= 9.0.0, < 9.0.11 Fix: upgrade to 9.0.11
|
Original title
ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incor...
Original description
ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
Published: 16 Apr 2026 · Updated: 17 Apr 2026 · First seen: 19 Mar 2026