CVE-2025-36854
📋 TL;DR
A race condition in EOL ASP.NET versions when closing HTTP/3 streams while writing response bodies can cause use-after-free memory corruption, potentially leading to remote code execution. This affects ASP.NET 6.0.0-6.0.36, 8.0.0-8.0.8, and 9.0.0 preview/RC versions, including self-contained applications targeting these versions. Since the software is end-of-life, Microsoft will not provide patches.
💻 Affected Systems
- ASP.NET
- ASP.NET Core
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote attacker gains full control of the server through remote code execution, potentially leading to data theft, lateral movement, or complete system compromise.
Likely Case
Server crashes or instability due to memory corruption, leading to denial of service and potential information disclosure through memory dumps.
If Mitigated
If HTTP/3 is disabled or the application is not internet-facing, risk is significantly reduced to internal network attacks only.
🎯 Exploit Status
Exploitation requires race condition triggering which adds complexity, but HTTP/3 is becoming more common. No public exploit code known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38229
Restart Required: Yes
Instructions:
1. Upgrade to supported ASP.NET versions (7.x or later supported versions). 2. For self-contained applications: recompile with updated runtime. 3. Restart all affected services.
🔧 Temporary Workarounds
Disable HTTP/3
allDisable HTTP/3 protocol support to prevent exploitation of this race condition.
In Program.cs or app configuration: builder.WebHost.ConfigureKestrel(options => { options.ConfigureEndpointDefaults(listenOptions => { listenOptions.Protocols = HttpProtocols.Http1AndHttp2; }); });
Network Filtering
allBlock UDP port 443 (QUIC/HTTP/3) at network perimeter.
Firewall rule to block UDP/443 inbound
🧯 If You Can't Patch
- Isolate affected systems in separate network segments with strict access controls
- Implement web application firewall (WAF) rules to detect and block suspicious HTTP/3 traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check ASP.NET version via: dotnet --info or examine application runtime configuration for HTTP/3 enabled.Check Version:
dotnet --info | findstr "ASP.NET" or check runtimeconfig.json filesVerify Fix Applied:
Verify HTTP/3 is disabled in Kestrel configuration and application is using supported ASP.NET version.📡 Detection & Monitoring
Log Indicators:
- Unexpected application crashes
- Memory access violation errors in event logs
- HTTP/3 connection attempts followed by crashes
Network Indicators:
- UDP/443 traffic to ASP.NET servers
- Abnormal HTTP/3 stream termination patterns
SIEM Query:
source="*aspnet*" AND ("access violation" OR "use after free" OR "http/3" AND crash)