VYPR
← All advisories
High severityNVD Advisory· Published May 16, 2019· Updated Aug 4, 2024

CVE-2019-0820

CVE-2019-0820

Description

A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A denial of service vulnerability in .NET Framework and .NET Core caused by improper processing of RegEx strings, allowing remote attackers to crash applications.

Vulnerability

Overview

CVE-2019-0820 is a denial of service (DoS) vulnerability in .NET Framework and .NET Core that arises when the runtime improperly processes specially crafted regular expression (RegEx) strings [2]. The root cause lies in the regex engine's handling of certain patterns, which can lead to excessive resource consumption or an unhandled exception, ultimately crashing the application [1]. This CVE is distinct from related issues CVE-2019-0980 and CVE-2019-0981 [2].

Exploitation

An attacker can exploit this vulnerability by providing a malicious RegEx string to a .NET application that processes user-supplied regular expressions. No authentication is required if the application exposes a public endpoint that accepts regex input (e.g., a search or validation feature). The attack does not require special network position; it can be delivered remotely over HTTP or other protocols [1][2].

Impact

Successful exploitation results in a denial of service condition, causing the affected .NET application to become unresponsive or terminate. This can disrupt services and require manual restart to restore functionality. The vulnerability does not allow code execution or privilege escalation [2].

Mitigation

Microsoft released security updates for .NET Framework and .NET Core to address this vulnerability. Red Hat also provided updated packages for .NET Core 2.1 on Red Hat Enterprise Linux 8 [1]. Users should apply the latest patches from their respective vendors. No workarounds are documented; updating to the fixed versions is the recommended mitigation [1][2].

References
  1. https://access.redhat.com/errata/RHSA-2019:1259
  2. NVD - CVE-2019-0820

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
System.Text.RegularExpressionsNuGet
>= 4.3.0, < 4.3.14.3.1

Affected products

45
  • Microsoft/.net Frameworkllm-fuzzy
  • .NET Core/.NET Corellm-fuzzy
  • ghsa-coords
    pkg:nuget/system.text.regularexpressions
    Range: >= 4.3.0, < 4.3.1
  • Microsoft/Microsoft .NET Frameworkcpe-rescue9 versions
    Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2+ 8 more
    • (no CPE)range: Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2
    • (no CPE)range: Service Pack 2 on Windows Server 2008 for Itanium-Based Systems Service Pack 2
    • (no CPE)range: Windows Server 2012
    • (no CPE)range: Windows 7 for 32-bit Systems Service Pack 1
    • (no CPE)range: Windows 7 for 32-bit Systems Service Pack 1
    • (no CPE)range: Windows Server 2008 for 32-bit Systems Service Pack 2
    • (no CPE)range: Windows Server 2016
    • (no CPE)range: Windows 7 for 32-bit Systems Service Pack 1
    • (no CPE)range: Windows 10 Version 1803 for 32-bit Systems
  • Microsoft/Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 on Windows 10 Version 1903 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 3.5 on Windows Server, version 1903 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1703 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1709 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for 32-bit Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 10 Version 1903 for x64-based Systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systemsv5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows RT 8.1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012 R2v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2016v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2019v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server 2019 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server, version 1803 (Server Core Installation)v5
    Range: unspecified
  • Microsoft/Microsoft .NET Framework 4.8 on Windows Server, version 1903 (Server Core installation)v5
    Range: unspecified
  • Microsoft/Aspnetcorecpe-rescue
    Range: 1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.