Vulnerability DatabaseCVE-2026-25667
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-25667
March 19, 2026
ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.
Affected Packages
https://github.com/dotnet/aspnetcore.git (GITHUB):
Affected version(s) >=v8.0.0 <v8.0.22
Fix Suggestion:
Update to version v8.0.22
https://github.com/dotnet/aspnetcore.git (GITHUB):
Affected version(s) >=v9.0.0 <v9.0.11
Fix Suggestion:
Update to version v9.0.11
Microsoft.AspNetCore.Server.Kestrel.Core (NUGET):
Affected version(s) >=2.0.0 <2.3.6
Fix Suggestion:
Update to version 2.3.6
Related ResourcesĀ (2)
https://github.com/IsaJafarov/Kestrel-DoS
https://github.com/dotnet/aspnetcore/commit/96ccc40a0e095424b19506e8268b9b1a3e23d6a7#diff-667d5b3693f93a0f706ab211428998b210862f9b885d917104d2013118312626
Do you need more information?
Contact Us
CVSS v3
Base Score:
7.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
NONE
Availability
HIGH
Weakness Type (CWE)
Uncontrolled Resource Consumption
CWE-400
EPSS
Base Score:
0.14