Description
ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.
Published: 2026-03-19
Score: 7.5 High
EPSS: 14.5% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 contains an error in the exit condition for HTTP/3 Encoder/Decoder stream processing, allowing a remote attacker to trigger excessive CPU consumption by sending a crafted QUIC packet. This results in denial of service for legitimate users and is classified under CWE‑400.

Affected Systems

Microsoft ASP.NET Core Kestrel running on .NET 8.0 versions earlier than 8.0.22 or .NET 9.0 versions earlier than 9.0.11 is affected. Systems that expose the Kestrel HTTP/3 endpoint to external networks are at risk.

Risk and Exploitability

The vulnerability has a CVSS score of 7.5, indicating moderate to high severity. Exploit probability is moderate, with an EPSS score of 15%, and it is not listed in the CISA KEV catalog. Attackers can exploit the flaw remotely by sending crafted QUIC packets to the vulnerable Kestrel instance, potentially causing prolonged CPU usage and service interruption.

Generated by OpenCVE AI on May 1, 2026 at 05:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ASP.NET Core to .NET 8.0.22 or later, or .NET 9.0.11 or later.
  • Disable QUIC/HTTP/3 on the Kestrel server to prevent exploitation during remediation.
  • Configure firewall or network policies to block or rate-limit QUIC traffic to the server.

Generated by OpenCVE AI on May 1, 2026 at 05:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 06:00:00 +0000

Type Values Removed Values Added
Title Remote DoS via Crafted QUIC Packet in ASP.NET Core Kestrel

Wed, 22 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
References

Wed, 15 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted QUIC Packet in ASP.NET Core Kestrel

Tue, 14 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft .net
CPEs cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
Vendors & Products Microsoft .net

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted QUIC Packet in ASP.NET Core Kestrel

Tue, 24 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft aspnetcore
Vendors & Products Microsoft
Microsoft aspnetcore

Thu, 19 Mar 2026 18:45:00 +0000

Type Values Removed Values Added
Description ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.
References

Subscriptions

Microsoft .net Aspnetcore
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-29T14:34:11.558Z

Reserved: 2026-02-04T00:00:00.000Z

Link: CVE-2026-25667

cve-icon Vulnrichment

Updated: 2026-03-24T01:32:53.058Z

cve-icon NVD

Status : Modified

Published: 2026-03-19T19:16:19.880

Modified: 2026-04-22T17:16:34.337

Link: CVE-2026-25667

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:45:10Z

Weaknesses