Описание
.NET and Visual Studio Remote Code Execution Vulnerability
FAQ
According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability?
Successful exploitation of this vulnerability requires an attacker to win a race condition.
How could an attacker exploit this vulnerability?
An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition. This could result in remote code execution.
.NET 6.0 was added to the Security Updates table on October 31, 2024 because it is also affected by this vulnerability. Why are the Download and Article links missing for .NET 6.0?
HTTP/3 support was only experimental in .NET 6.0. If you are using .NET 6 you must update your application to .NET 8 to be protected. Experimental features will not be patched if a later runtime includes the feature as non-experimental.
Обновления
| Продукт | Статья | Обновление |
|---|---|---|
| Microsoft Visual Studio 2022 version 17.4 | ||
| Microsoft Visual Studio 2022 version 17.6 | ||
| .NET 8.0 | ||
| Microsoft Visual Studio 2022 version 17.8 | ||
| Microsoft Visual Studio 2022 version 17.10 |
Показывать по
Возможность эксплуатации
Publicly Disclosed
Exploited
Latest Software Release
DOS
EPSS
8.1 High
CVSS3
Связанные уязвимости
.NET and Visual Studio Remote Code Execution Vulnerability
.NET and Visual Studio Remote Code Execution Vulnerability
.NET and Visual Studio Remote Code Execution Vulnerability
Microsoft Security Advisory CVE-2024-35264 | .NET Remote Code Execution Vulnerability
EPSS
8.1 High
CVSS3