Description
ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.
Published: 2026-03-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 contains an error in the exit condition for HTTP/3 Encoder/Decoder stream processing, allowing a remote attacker to trigger excessive CPU consumption by sending a crafted QUIC packet. This results in denial of service for legitimate users and is classified under CWE‑400.

Affected Systems

Microsoft ASP.NET Core Kestrel running on .NET 8.0 versions earlier than 8.0.22 or .NET 9.0 versions earlier than 9.0.11 is affected. Systems that expose the Kestrel HTTP/3 endpoint to external networks are at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating moderate to high severity. Exploit probability is low, with an EPSS score of less than 1%, and it is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending crafted QUIC packets to the vulnerable Kestrel instance, potentially causing prolonged CPU usage and service interruption.

Generated by OpenCVE AI on March 24, 2026 at 03:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ASP.NET Core to .NET 8.0.22 or later, or .NET 9.0.11 or later.

Generated by OpenCVE AI on March 24, 2026 at 03:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted QUIC Packet in ASP.NET Core Kestrel

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft aspnetcore
Vendors & Products Microsoft
Microsoft aspnetcore

Thu, 19 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.
References

Subscriptions

Microsoft Aspnetcore
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-03-24T01:32:58.972Z

Reserved: 2026-02-04T00:00:00.000Z

Link: CVE-2026-25667

cve-icon Vulnrichment

Updated: 2026-03-24T01:32:53.058Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-19T19:16:19.880

Modified: 2026-03-24T02:16:04.377

Link: CVE-2026-25667

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T11:51:38Z

Weaknesses