Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-36854

Опубликовано: 08 сент. 2025
Источник: nvd
CVSS3: 8.1
EPSS Низкий

Описание

A vulnerability ( CVE-2024-38229 https://www.cve.org/CVERecord ) exists in EOL ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead to use-after-free, resulting in Remote Code Execution.

Per CWE-416: Use After Free https://cwe.mitre.org/data/definitions/416.html , Use After Free is when a product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

This issue affects EOL ASP.NET 6.0.0 <= 6.0.36 as represented in this CVE, as well as 8.0.0 <= 8.0.8, 9.0.0-preview.1.24081.5 <= 9.0.0.RC.1 as represented in  CVE-2024-38229 https://www.cve.org/CVERecord .

Additionally, if you've deployed self-contained ap

Ссылки

EPSS

Процентиль: 32%
0.00124
Низкий

8.1 High

CVSS3

Дефекты

CWE-416

Связанные уязвимости

github логотип

GHSA-qwjg-j8g7-hwvh

CVSS3: 8.1
github
около 1 месяца назад

A vulnerability ( CVE-2024-38229 https://www.cve.org/CVERecord ) exists in EOL ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead to use-after-free, resulting in Remote Code Execution. Per CWE-416: Use After Free https://cwe.mitre.org/data/definitions/416.html , Use After Free is when a product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. This issue affects EOL ASP.NET 6.0.0 <= 6.0.36 as represented in this CVE, as well as 8.0.0 <= 8.0.8, 9.0.0-preview.1.24081.5 <= 9.0.0.RC.1 as represented in  CVE-2024-38229 https://www.cve.org/CVERecord . Additionally, if you've deployed self-contained...

fstec логотип

BDU:2025-12583

CVSS3: 8.1
fstec
около 1 месяца назад

Уязвимость программной платформы Microsoft .NET, связанная с использованием памяти после её освобождения, позволяющая нарушителю получить доступ к конфиденциальной информации

redos логотип

ROS-20251002-03

CVSS3: 8.8
redos
14 дней назад

Множественные уязвимости dotnet

EPSS

Процентиль: 32%
0.00124
Низкий

8.1 High

CVSS3

Дефекты

CWE-416