High severityNVD Advisory· Published May 10, 2022· Updated Jan 2, 2025
.NET and Visual Studio Denial of Service Vulnerability
CVE-2022-23267
Description
.NET and Visual Studio Denial of Service Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in .NET and Visual Studio where a malicious client can cause excessive memory allocations via HttpClient.
Vulnerability
A denial of service vulnerability exists in .NET 6.0 (up to version 6.0.4), .NET 5.0 (up to version 5.0.16), and .NET Core 3.1 (up to version 3.1.24). The issue is triggered when a malicious client sends crafted requests that cause HttpClient to allocate excessive memory, leading to resource exhaustion [2][3]. The vulnerability affects the Microsoft.AspNetCore.App.Runtime packages on all supported platforms [2].
Exploitation
An attacker needs only network access to send HTTP requests to a vulnerable .NET application. No authentication is required. The attacker repeatedly sends specially crafted requests that force HttpClient to allocate large amounts of memory, eventually exhausting available resources and causing the application to become unresponsive or crash [2][3].
Impact
Successful exploitation results in a denial of service (DoS). The application becomes unavailable to legitimate users due to excessive memory consumption. No data confidentiality or integrity is compromised; the impact is purely on availability [2][3].
Mitigation
Microsoft released security updates on May 10, 2022. For .NET 6.0, upgrade to version 6.0.5. For .NET 5.0, upgrade to version 5.0.17. For .NET Core 3.1, upgrade to version 3.1.25 [2][3]. No mitigating factors were identified [2]. Fedora package announcements were also issued [4].
References
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 5.0.1, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Affected products
56- osv-coords45 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:bitnami/powershellpkg:nuget/microsoft.aspnetcore.app.runtime.linux-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-x64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-armpkg:nuget/microsoft.aspnetcore.app.runtime.win-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86pkg:rpm/almalinux/aspnetcore-runtime-3.1pkg:rpm/almalinux/aspnetcore-runtime-5.0pkg:rpm/almalinux/aspnetcore-runtime-6.0pkg:rpm/almalinux/aspnetcore-targeting-pack-3.1pkg:rpm/almalinux/aspnetcore-targeting-pack-5.0pkg:rpm/almalinux/aspnetcore-targeting-pack-6.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-3.1pkg:rpm/almalinux/dotnet-apphost-pack-5.0pkg:rpm/almalinux/dotnet-apphost-pack-6.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-3.1pkg:rpm/almalinux/dotnet-hostfxr-5.0pkg:rpm/almalinux/dotnet-hostfxr-6.0pkg:rpm/almalinux/dotnet-runtime-3.1pkg:rpm/almalinux/dotnet-runtime-5.0pkg:rpm/almalinux/dotnet-runtime-6.0pkg:rpm/almalinux/dotnet-sdk-3.1pkg:rpm/almalinux/dotnet-sdk-3.1-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-5.0pkg:rpm/almalinux/dotnet-sdk-5.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-6.0pkg:rpm/almalinux/dotnet-sdk-6.0-source-built-artifactspkg:rpm/almalinux/dotnet-targeting-pack-3.1pkg:rpm/almalinux/dotnet-targeting-pack-5.0pkg:rpm/almalinux/dotnet-targeting-pack-6.0pkg:rpm/almalinux/dotnet-templates-3.1pkg:rpm/almalinux/dotnet-templates-5.0pkg:rpm/almalinux/dotnet-templates-6.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 5.0.0, < 5.0.1+ 44 more
- (no CPE)range: >= 5.0.0, < 5.0.1
- (no CPE)range: >= 5.0.0, < 5.0.1
- (no CPE)range: >= 7.0.0, < 7.0.11
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 5.0.1, < 5.0.17
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 6.0.0, < 6.0.5
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 6.0.105-1.el8_6
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 3.1.419-1.el8_6
- (no CPE)range: < 3.1.419-1.el8_6
- (no CPE)range: < 5.0.214-1.el8_6
- (no CPE)range: < 5.0.214-1.el8_6
- (no CPE)range: < 6.0.105-1.el8_6
- (no CPE)range: < 6.0.105-1.el8_6
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 3.1.419-1.el8_6
- (no CPE)range: < 5.0.214-1.el8_6
- (no CPE)range: < 6.0.105-1.el8_6
- (no CPE)range: < 6.0.105-1.el8_6
- Microsoft/Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)v5Range: 16.11.0
- Microsoft/Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)v5Range: 15.0.0
- Microsoft/Microsoft Visual Studio 2022 version 17.0v5Range: 17.0.0
- Microsoft/Microsoft Visual Studio 2022 version 17.1v5Range: 17.0.0
- Microsoft/.NET 5.0v5Range: 5.0.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET Core 3.1v5Range: 3.1
- Microsoft/PowerShell 7.0v5Range: 7.0.0
- Microsoft/PowerShell 7.2v5Range: 7.2.0
- Microsoft/Visual Studio 2019 for Mac version 8.10v5Range: 8.1.0
- Microsoft/Visual Studio 2022 for Mac version 17.0v5Range: 17.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
11- github.com/advisories/GHSA-485p-mrj5-8w2vghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2022-23267ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-23267ghsaADVISORY
- github.com/dotnet/announcements/issues/221ghsaWEB
- github.com/dotnet/runtime/security/advisories/GHSA-485p-mrj5-8w2vghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GNXQL7EZORGU4PZCPJ5EPQ4P7IEY3ZZOghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IBYSBUDJYQ76HK4TULXVIIPCKK2U6WDBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W5FPEQ6BTYRGTS6IYCDTZW6YF5HLQ3BYghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXQL7EZORGU4PZCPJ5EPQ4P7IEY3ZZOghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IBYSBUDJYQ76HK4TULXVIIPCKK2U6WDBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W5FPEQ6BTYRGTS6IYCDTZW6YF5HLQ3BYghsaWEB
News mentions
0No linked articles in our index yet.