CVE-2026-25667

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-25667

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25667.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-25667

Aliases

Downstream

MINI-4xj4-jqfh-j879

MINI-9mr2-2hf7-crmq

Published

2026-03-19T19:16:19.880Z

Modified

2026-04-17T04:57:18.685166193Z

Summary

[none]

Details

ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.

References

Affected packages

Git / github.com/dotnet/aspnetcore

Affected ranges

Type

GIT

Repo

https://github.com/dotnet/aspnetcore

Events

Introduced

3f1acb59718cadf111a0a796681e3d3509bb3381

Fixed

ee417479933278bb5aadc5944706a96b5ef74a5d

Introduced

af22effae4069a5dfb9b0735859de48820104f5b

Fixed

d3aba8fe1a0d0f5c145506f292b72ea9d28406fc

Fixed

96ccc40a0e095424b19506e8268b9b1a3e23d6a7

Database specific

{
    "versions": [
        {
            "introduced": "8.0"
        },
        {
            "fixed": "8.0.22"
        },
        {
            "introduced": "9.0"
        },
        {
            "fixed": "9.0.11"
        }
    ]
}

Affected versions

v8.*

v8.0.0

v8.0.1

v8.0.10

v8.0.11

v8.0.12

v8.0.13

v8.0.14

v8.0.15

v8.0.16

v8.0.17

v8.0.18

v8.0.19

v8.0.2

v8.0.20

v8.0.21

v8.0.3

v8.0.4

v8.0.5

v8.0.7

v8.0.8

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25667.json"