.NET and Visual Studio Denial of Service Vulnerability
Description
.NET and Visual Studio Denial of Service Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
.NET Core, .NET 5.0, and .NET 6.0 contain a denial of service vulnerability when parsing specially crafted HTTP form requests.
Vulnerability
A denial of service (DoS) vulnerability exists in the ASP.NET Core model binding component of .NET Core 3.1, .NET 5.0, and .NET 6.0 when parsing certain types of HTTP form requests [1][3]. The flaw is triggered during the processing of a maliciously crafted form-data request that can cause excessive resource consumption. Affected versions are .NET Core 3.1.22 and earlier, .NET 5.0.14 and earlier, and .NET 6.0.2 and earlier [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability over the network by sending a specially crafted HTTP form request to an affected .NET web application [1][3]. No user interaction or special privileges are required; the attacker only needs the ability to send HTTP requests to the target service.
Impact
Successful exploitation leads to a denial of service condition. The affected application may become unresponsive or crash, preventing legitimate users from accessing the service. The vulnerability does not result in information disclosure, privilege escalation, or remote code execution.
Mitigation
Microsoft released patched versions on March 8, 2022 to address this vulnerability [1][3]. Users should update to .NET Core 3.1.23 (SDK 3.1.417), .NET 5.0.15 (SDK 5.0.406 or 5.0.212), or .NET 6.0.3 (SDK 6.0.201) depending on their version [3]. Updates are available through the dotnet.microsoft.com download page, Microsoft Update, or Visual Studio update prompts [1]. No workarounds were identified by Microsoft [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 3.1.5, < 3.1.23 | 3.1.23 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 3.0.0, < 3.1.23 | 3.1.23 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 5.0.0, < 5.0.15 | 5.0.15 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 6.0.0, < 6.0.3 | 6.0.3 |
Affected products
50- osv-coords43 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.aspnetcore.app.runtime.linux-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-x64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-armpkg:nuget/microsoft.aspnetcore.app.runtime.win-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86pkg:rpm/almalinux/aspnetcore-runtime-3.1pkg:rpm/almalinux/aspnetcore-runtime-5.0pkg:rpm/almalinux/aspnetcore-runtime-6.0pkg:rpm/almalinux/aspnetcore-targeting-pack-3.1pkg:rpm/almalinux/aspnetcore-targeting-pack-5.0pkg:rpm/almalinux/aspnetcore-targeting-pack-6.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-3.1pkg:rpm/almalinux/dotnet-apphost-pack-5.0pkg:rpm/almalinux/dotnet-apphost-pack-6.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-3.1pkg:rpm/almalinux/dotnet-hostfxr-5.0pkg:rpm/almalinux/dotnet-hostfxr-6.0pkg:rpm/almalinux/dotnet-runtime-3.1pkg:rpm/almalinux/dotnet-runtime-5.0pkg:rpm/almalinux/dotnet-runtime-6.0pkg:rpm/almalinux/dotnet-sdk-3.1pkg:rpm/almalinux/dotnet-sdk-3.1-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-5.0pkg:rpm/almalinux/dotnet-sdk-5.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-6.0pkg:rpm/almalinux/dotnet-targeting-pack-3.1pkg:rpm/almalinux/dotnet-targeting-pack-5.0pkg:rpm/almalinux/dotnet-targeting-pack-6.0pkg:rpm/almalinux/dotnet-templates-3.1pkg:rpm/almalinux/dotnet-templates-5.0pkg:rpm/almalinux/dotnet-templates-6.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 5.0.0, < 5.0.15+ 42 more
- (no CPE)range: >= 5.0.0, < 5.0.15
- (no CPE)range: >= 5.0.0, < 5.0.15
- (no CPE)range: >= 3.0.0, < 3.1.23
- (no CPE)range: >= 3.0.0, < 3.1.23
- (no CPE)range: >= 5.0.0, < 5.0.15
- (no CPE)range: >= 3.0.0, < 3.1.23
- (no CPE)range: >= 3.0.0, < 3.1.23
- (no CPE)range: >= 3.0.0, < 3.1.23
- (no CPE)range: >= 6.0.0, < 6.0.3
- (no CPE)range: >= 3.0.0, < 3.1.23
- (no CPE)range: >= 3.0.0, < 3.1.23
- (no CPE)range: >= 3.1.5, < 3.1.23
- (no CPE)range: >= 3.0.0, < 3.1.23
- (no CPE)range: >= 3.0.0, < 3.1.23
- (no CPE)range: < 3.1.23-1.el8_5
- (no CPE)range: < 5.0.15-1.el8_5
- (no CPE)range: < 6.0.3-4.el8_5
- (no CPE)range: < 3.1.23-1.el8_5
- (no CPE)range: < 5.0.15-1.el8_5
- (no CPE)range: < 6.0.3-4.el8_5
- (no CPE)range: < 6.0.103-4.el8_5
- (no CPE)range: < 3.1.23-1.el8_5
- (no CPE)range: < 5.0.15-1.el8_5
- (no CPE)range: < 6.0.3-4.el8_5
- (no CPE)range: < 6.0.3-4.el8_5
- (no CPE)range: < 3.1.23-1.el8_5
- (no CPE)range: < 5.0.15-1.el8_5
- (no CPE)range: < 6.0.3-4.el8_5
- (no CPE)range: < 3.1.23-1.el8_5
- (no CPE)range: < 5.0.15-1.el8_5
- (no CPE)range: < 6.0.3-4.el8_5
- (no CPE)range: < 3.1.417-1.el8_5
- (no CPE)range: < 3.1.417-1.el8_5
- (no CPE)range: < 5.0.212-1.el8_5
- (no CPE)range: < 5.0.212-1.el8_5
- (no CPE)range: < 6.0.103-4.el8_5
- (no CPE)range: < 3.1.23-1.el8_5
- (no CPE)range: < 5.0.15-1.el8_5
- (no CPE)range: < 6.0.3-4.el8_5
- (no CPE)range: < 3.1.417-1.el8_5
- (no CPE)range: < 5.0.212-1.el8_5
- (no CPE)range: < 6.0.103-4.el8_5
- (no CPE)range: < 6.0.103-4.el8_5
- Microsoft/Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)v5Range: 16.11.0
- Microsoft/Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)v5Range: 16.0.0
- Microsoft/Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)v5Range: 15.0.0
- Microsoft/Microsoft Visual Studio 2022 version 17.0v5Range: 17.0.0
- Microsoft/.NET 5.0v5Range: 5.0.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET Core 3.1v5Range: 3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-cw98-9j8w-wxv9ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2022-24464ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-24464ghsaADVISORY
- github.com/dotnet/announcements/issues/212ghsaWEB
- github.com/dotnet/aspnetcore/security/advisories/GHSA-cw98-9j8w-wxv9ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4TOGTZ2ZWDH662ZNFFSZVL3M5AJXV6JFghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CIJGCVKLHVNLFBTEYJGWS43QG5DYJFBLghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MQLM7ABVCYJLF6JRPF3M3EBXW63GNC27ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRGSPXMZY4RM2L35FYHCXBFROLC23B2VghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OS2Q4NPRSARP7GHLKFLIYHFOPSYDO6MKghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZXEQ3GQVELA2T4HNZG7VPMS2HDVXMJRGghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-24464ghsaWEB
News mentions
0No linked articles in our index yet.