CVE-2018-0875
Description
.NET Core 1.0, .NET Core 1.1, NET Core 2.0 and PowerShell Core 6.0.0 allow a denial of Service vulnerability due to how specially crafted requests are handled, aka ".NET Core Denial of Service Vulnerability".
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A hash collision vulnerability in .NET Core 1.0-2.0 and PowerShell Core 6.0.0 allows remote denial of service via specially crafted requests.
Vulnerability
CVE-2018-0875 is a denial of service vulnerability in .NET Core versions 1.0.9 and earlier, 1.1.6 and earlier, 2.0.5 and earlier, and PowerShell Core 6.0.0. The vulnerability exists due to how the affected software handles specially crafted requests, specifically involving hash collisions that can be exploited to cause excessive resource consumption. Applications running on these versions are vulnerable when processing malicious files or web requests [1][2][3].
Exploitation
An attacker with network access can send a specially crafted request or file to a .NET Core or PowerShell Core application. The exploit leverages predictable hash values that allow an attacker to create a large number of colliding entries in a hash table, leading to CPU exhaustion and denial of service. No authentication is required, and the attacker does not need any special privileges beyond the ability to send requests to the target [3].
Impact
Successful exploitation results in a denial of service condition, where the affected system becomes unresponsive due to high CPU usage. The vulnerability impacts the availability of the service, but does not allow for arbitrary code execution, elevation of privilege, or data disclosure [1][2].
Mitigation
Microsoft released updates for .NET Core runtimes versions 1.0.10, 1.1.7, and 2.0.6 to address this vulnerability. Developers should update their .NET Core SDK to versions 1.1.8 or 2.1.101. Red Hat also released errata (RHSA-2018:0522) for affected packages. PowerShell Core 6.0.0 users should update to a patched release. No workaround is available other than applying the updates [1][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.NETCore.JitNuGet | >= 2.0.0, < 2.0.6 | 2.0.6 |
Microsoft.NETCore.JitNuGet | >= 1.1.0, < 1.1.7 | 1.1.7 |
Microsoft.NETCore.JitNuGet | < 1.0.12 | 1.0.12 |
Affected products
4- Range: 6.0.0
- Microsoft Corporation/.NET Corev5Range: .NET Core 1.0, .NET Core 1.1, NET Core 2.0 and PowerShell Core 6.0.0 allow a denial of Service vulnerability due to how specially crafted requests are handled, aka ".NET Core Denial of Service Vulnerability".
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- access.redhat.com/errata/RHSA-2018:0522ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-xcvr-qv8h-m7xwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-0875ghsaADVISORY
- www.securityfocus.com/bid/103225ghsavdb-entryx_refsource_BIDWEB
- www.securitytracker.com/id/1040505ghsavdb-entryx_refsource_SECTRACKWEB
- github.com/dotnet/announcements/issues/62ghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0875ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.