.NET Core and Visual Studio Denial of Service Vulnerability
Description
.NET Core and Visual Studio Denial of Service Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in ASP.NET Core's model binding can cause a stack overflow via crafted payloads.
Vulnerability
Overview
CVE-2022-38013 is a denial of service vulnerability in ASP.NET Core, affecting applications built on .NET 6.0 (up to 6.0.8) and .NET Core 3.1 (up to 3.1.28). The root cause lies in the model binding component, which parses incoming HTTP request data. A specially crafted payload can trigger an uncontrolled stack overflow, leading to a process crash and service unavailability [2].
Attack
Vector
An attacker can exploit this vulnerability by sending a malicious HTTP request to an affected ASP.NET Core application. No authentication is required; the attacker only needs network access to the vulnerable endpoint. The payload is designed to cause excessive recursion or deep parsing during model binding, ultimately exhausting the call stack and causing the application to terminate [2].
Impact
Successful exploitation results in a denial of service condition. The affected application becomes unresponsive or crashes, disrupting service for legitimate users. This can be especially impactful for internet-facing web applications where availability is critical. The vulnerability does not allow code execution or data exfiltration, but it can be used to repeatedly take services offline [2].
Mitigation
Microsoft has released patches for the affected versions: .NET 6.0.9 and .NET Core 3.1.29. Developers should update their applications to the latest runtime or SDK versions. For .NET 6, the patched version is 6.0.9; for .NET Core 3.1, the patched version is 3.1.29. The advisory provides specific package versions that need updating [2]. Fedora package announcements also reference this CVE [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 3.1.0, < 3.1.29 | 3.1.29 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 5.0.0, < 6.0.9 | 6.0.9 |
Affected products
43- osv-coords35 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.aspnetcore.app.runtime.linux-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-x64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-armpkg:nuget/microsoft.aspnetcore.app.runtime.win-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86pkg:rpm/almalinux/aspnetcore-runtime-3.1pkg:rpm/almalinux/aspnetcore-runtime-6.0pkg:rpm/almalinux/aspnetcore-targeting-pack-3.1pkg:rpm/almalinux/aspnetcore-targeting-pack-6.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-3.1pkg:rpm/almalinux/dotnet-apphost-pack-6.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-3.1pkg:rpm/almalinux/dotnet-hostfxr-6.0pkg:rpm/almalinux/dotnet-runtime-3.1pkg:rpm/almalinux/dotnet-runtime-6.0pkg:rpm/almalinux/dotnet-sdk-3.1pkg:rpm/almalinux/dotnet-sdk-3.1-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-6.0pkg:rpm/almalinux/dotnet-sdk-6.0-source-built-artifactspkg:rpm/almalinux/dotnet-targeting-pack-3.1pkg:rpm/almalinux/dotnet-targeting-pack-6.0pkg:rpm/almalinux/dotnet-templates-3.1pkg:rpm/almalinux/dotnet-templates-6.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 6.0.0, < 6.0.1+ 34 more
- (no CPE)range: >= 6.0.0, < 6.0.1
- (no CPE)range: >= 6.0.0, < 6.0.1
- (no CPE)range: >= 3.1.0, < 3.1.29
- (no CPE)range: >= 3.1.0, < 3.1.29
- (no CPE)range: >= 5.0.0, < 6.0.9
- (no CPE)range: >= 3.1.0, < 3.1.29
- (no CPE)range: >= 3.1.0, < 3.1.29
- (no CPE)range: >= 3.1.0, < 3.1.29
- (no CPE)range: >= 5.0.0, < 6.0.9
- (no CPE)range: >= 3.1.0, < 3.1.29
- (no CPE)range: >= 3.1.0, < 3.1.29
- (no CPE)range: >= 3.1.0, < 3.1.29
- (no CPE)range: >= 3.1.0, < 3.1.29
- (no CPE)range: >= 3.1.0, < 3.1.29
- (no CPE)range: < 3.1.29-1.el8_6
- (no CPE)range: < 6.0.9-1.el9_0
- (no CPE)range: < 3.1.29-1.el8_6
- (no CPE)range: < 6.0.9-1.el9_0
- (no CPE)range: < 6.0.109-1.el8_6
- (no CPE)range: < 3.1.29-1.el8_6
- (no CPE)range: < 6.0.9-1.el9_0
- (no CPE)range: < 6.0.9-1.el9_0
- (no CPE)range: < 3.1.29-1.el8_6
- (no CPE)range: < 6.0.9-1.el9_0
- (no CPE)range: < 3.1.29-1.el8_6
- (no CPE)range: < 6.0.9-1.el9_0
- (no CPE)range: < 3.1.423-1.el8_6
- (no CPE)range: < 3.1.423-1.el8_6
- (no CPE)range: < 6.0.109-1.el9_0
- (no CPE)range: < 6.0.109-1.el9_0
- (no CPE)range: < 3.1.29-1.el8_6
- (no CPE)range: < 6.0.9-1.el9_0
- (no CPE)range: < 3.1.423-1.el8_6
- (no CPE)range: < 6.0.109-1.el9_0
- (no CPE)range: < 6.0.109-1.el9_0
- Microsoft/Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)v5Range: 16.11.0
- Microsoft/Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)v5Range: 15.0.0
- Microsoft/Microsoft Visual Studio 2022 version 17.0v5Range: 17.0.0
- Microsoft/Microsoft Visual Studio 2022 version 17.2v5Range: 17.2.0
- Microsoft/Microsoft Visual Studio 2022 version 17.3v5Range: 17.0.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET Core 3.1v5Range: 3.1
- Microsoft/Visual Studio 2022 for Mac version 17.3v5Range: 17.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- github.com/advisories/GHSA-r8m2-4x37-6592ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38013ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-38013ghsaADVISORY
- github.com/dotnet/aspnetcore/security/advisories/GHSA-r8m2-4x37-6592ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAYghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7YghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K4K5YL7USOKIR3O2DUKBZMYPWXYPDKXGghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WL334CKOHA6BQQSYJW365HIWJ4IOE45MghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAYghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVEghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7YghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/K4K5YL7USOKIR3O2DUKBZMYPWXYPDKXGghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WL334CKOHA6BQQSYJW365HIWJ4IOE45MghsaWEB
- portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38013ghsaWEB
News mentions
0No linked articles in our index yet.