.NET Denial of Service Vulnerability

Vulnerability

A Denial of Service (DoS) vulnerability exists in .NET 6.0 (versions 6.0.1 and earlier) and .NET 5.0 (versions 5.0.13 and earlier) when the Kestrel web server processes certain HTTP/2 and HTTP/3 requests [1][4]. The flaw lies in how Kestrel handles specific malformed or specially crafted HTTP/2 and HTTP/3 frames, leading to resource exhaustion [1]. No special configuration is required for the code path to be reachable—any .NET application using Kestrel as the web server and accepting HTTP/2 or HTTP/3 connections is affected [1].

Exploitation

An attacker can exploit this vulnerability by sending a series of carefully crafted HTTP/2 or HTTP/3 requests to a vulnerable Kestrel endpoint from any network position that can reach the server [1]. The attacker does not need authentication or prior access to the server [1]. The specific sequence involves transmitting malformed HTTP/2 or HTTP/3 frames that trigger an out-of-memory condition or infinite loop within Kestrel's request processing pipeline [1]. No user interaction is required [1].

Impact

Successful exploitation results in a Denial of Service condition: the Kestrel web server becomes unresponsive, causing legitimate requests to fail or be delayed [1]. The attack does not lead to information disclosure, data tampering, or code execution [1]. The scope is limited to the affected .NET application—the underlying operating system and other services remain unaffected [1].

Mitigation

Microsoft released fixes on February 8, 2022. Users should update to .NET 6.0.2 (SDK 6.0.102) or .NET 5.0.14 (SDK 5.0.114 or 5.0.405) [1][4]. The updates are available via the .NET download page, Microsoft Update, or Visual Studio prompts [1][4]. No mitigating factors or workarounds have been identified [1]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].