.NET and Visual Studio Denial of Service Vulnerability
Description
.NET and Visual Studio Denial of Service Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A maliciously crafted cookie can cause a denial of service in .NET and Visual Studio applications.
Vulnerability
A denial of service vulnerability exists in the cookie handling functionality of .NET and Visual Studio [1][2]. A malicious client can manipulate cookies sent to an affected application, causing excessive resource consumption. The vulnerability affects .NET 6.0.4 and earlier, .NET 5.0.16 and earlier, and .NET Core 3.1.24 and earlier. Packages such as Microsoft.Owin.Security.Cookies (<=4.21) and Microsoft.AspNetCore.App.Runtime.* on various platforms are also impacted [2].
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a specially crafted cookie to an affected .NET or ASP.NET Core application over a network. No special privileges or user interaction is required beyond the attacker's ability to make an HTTP request to the application [2].
Impact
Successful exploitation leads to a denial of service condition, where the affected application becomes unresponsive or crashes, degrading availability for legitimate users. There is no impact to confidentiality or integrity [1][2].
Mitigation
Microsoft released updates to address this vulnerability. Affected users should upgrade to the following patched versions: .NET 6.0.5 or later, .NET 5.0.17 or later, .NET Core 3.1.25 or later, and Microsoft.Owin.Security.Cookies version 4.22 or later [2]. The fixed versions were released on or before the advisory date of May 10, 2022. Administrators should apply the updates promptly.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.Owin.Security.CookiesNuGet | < 4.2.2 | 4.2.2 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.OwinNuGet | < 4.2.2 | 4.2.2 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 3.0.0, < 3.1.25 | 3.1.25 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 5.0.0, < 5.0.17 | 5.0.17 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 6.0.0, < 6.0.5 | 6.0.5 |
Affected products
53- osv-coords46 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.aspnetcore.app.runtime.linux-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-x64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-armpkg:nuget/microsoft.aspnetcore.app.runtime.win-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86pkg:nuget/microsoft.owinpkg:nuget/microsoft.owin.security.cookiespkg:rpm/almalinux/aspnetcore-runtime-3.1pkg:rpm/almalinux/aspnetcore-runtime-5.0pkg:rpm/almalinux/aspnetcore-runtime-6.0pkg:rpm/almalinux/aspnetcore-targeting-pack-3.1pkg:rpm/almalinux/aspnetcore-targeting-pack-5.0pkg:rpm/almalinux/aspnetcore-targeting-pack-6.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-3.1pkg:rpm/almalinux/dotnet-apphost-pack-5.0pkg:rpm/almalinux/dotnet-apphost-pack-6.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-3.1pkg:rpm/almalinux/dotnet-hostfxr-5.0pkg:rpm/almalinux/dotnet-hostfxr-6.0pkg:rpm/almalinux/dotnet-runtime-3.1pkg:rpm/almalinux/dotnet-runtime-5.0pkg:rpm/almalinux/dotnet-runtime-6.0pkg:rpm/almalinux/dotnet-sdk-3.1pkg:rpm/almalinux/dotnet-sdk-3.1-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-5.0pkg:rpm/almalinux/dotnet-sdk-5.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-6.0pkg:rpm/almalinux/dotnet-sdk-6.0-source-built-artifactspkg:rpm/almalinux/dotnet-targeting-pack-3.1pkg:rpm/almalinux/dotnet-targeting-pack-5.0pkg:rpm/almalinux/dotnet-targeting-pack-6.0pkg:rpm/almalinux/dotnet-templates-3.1pkg:rpm/almalinux/dotnet-templates-5.0pkg:rpm/almalinux/dotnet-templates-6.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 5.0.0, < 5.0.1+ 45 more
- (no CPE)range: >= 5.0.0, < 5.0.1
- (no CPE)range: >= 5.0.0, < 5.0.1
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 6.0.0, < 6.0.5
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: >= 3.0.0, < 3.1.25
- (no CPE)range: < 4.2.2
- (no CPE)range: < 4.2.2
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 6.0.105-1.el8_6
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 3.1.419-1.el8_6
- (no CPE)range: < 3.1.419-1.el8_6
- (no CPE)range: < 5.0.214-1.el8_6
- (no CPE)range: < 5.0.214-1.el8_6
- (no CPE)range: < 6.0.105-1.el8_6
- (no CPE)range: < 6.0.105-1.el8_6
- (no CPE)range: < 3.1.25-1.el8_6
- (no CPE)range: < 5.0.17-1.el8_6
- (no CPE)range: < 6.0.5-1.el8_6
- (no CPE)range: < 3.1.419-1.el8_6
- (no CPE)range: < 5.0.214-1.el8_6
- (no CPE)range: < 6.0.105-1.el8_6
- (no CPE)range: < 6.0.105-1.el8_6
- Microsoft/Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)v5Range: 16.11.0
- Microsoft/Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)v5Range: 15.0.0
- Microsoft/Microsoft Visual Studio 2022 version 17.0v5Range: 17.0.0
- Microsoft/Microsoft Visual Studio 2022 version 17.1v5Range: 17.0.0
- Microsoft/.NET 5.0v5Range: 5.0.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET Core 3.1v5Range: 3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
10- github.com/advisories/GHSA-3rq8-h3gj-r5c6ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2022-29117ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-29117ghsaADVISORY
- github.com/dotnet/aspnetcore/security/advisories/GHSA-3rq8-h3gj-r5c6ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GNXQL7EZORGU4PZCPJ5EPQ4P7IEY3ZZOghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IBYSBUDJYQ76HK4TULXVIIPCKK2U6WDBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/W5FPEQ6BTYRGTS6IYCDTZW6YF5HLQ3BYghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GNXQL7EZORGU4PZCPJ5EPQ4P7IEY3ZZOghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IBYSBUDJYQ76HK4TULXVIIPCKK2U6WDBghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W5FPEQ6BTYRGTS6IYCDTZW6YF5HLQ3BYghsaWEB
News mentions
0No linked articles in our index yet.