.NET Framework Information Disclosure Vulnerability
Description
.NET Framework Information Disclosure Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A timeout under high load in .NET SQL client libraries can cause incorrect data to be returned from async queries, leading to information disclosure.
Vulnerability
Overview
CVE-2022-41064 is an information disclosure vulnerability in the .NET System.Data.SqlClient and Microsoft.Data.SqlClient libraries. The root cause is a race condition that occurs when a query timeout happens during high load while an asynchronous query is executing. Under these conditions, the library may return data that belongs to a different query, potentially exposing sensitive information to the wrong caller [2][3].
Exploitation
Conditions
Exploitation requires the application to be communicating with Microsoft SQL Server and to execute asynchronous queries under high concurrency. The vulnerability is triggered when a timeout occurs on an async operation; the library may then reuse a connection or buffer that still contains data from a previous query, returning that stale or incorrect data to the current caller. No special authentication or network position is needed beyond normal database access [2][3].
Impact
An attacker who can cause or observe the effects of a timeout under load may receive data that was intended for another user or session. This could include sensitive database contents such as personally identifiable information (PII), credentials, or business data. The vulnerability is classified as information disclosure because the incorrect data is returned as the result of the query, not through a direct memory corruption or injection [2][3].
Mitigation
Microsoft has released updated packages to fix the issue. For System.Data.SqlClient, the secure version is 4.8.5 (or the November 2022 .NET Framework update). For Microsoft.Data.SqlClient, versions 1.1.4 and 2.1.2 or later are patched. Applications using vulnerable versions should update immediately. Applications not connecting to SQL Server are not affected [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.Data.SqlClientNuGet | < 1.1.4 | 1.1.4 |
System.Data.SqlClientNuGet | < 4.8.5 | 4.8.5 |
Microsoft.Data.SqlClientNuGet | >= 2.0.0, < 2.1.2 | 2.1.2 |
Affected products
12- ghsa-coords2 versions
< 1.1.4+ 1 more
- (no CPE)range: < 1.1.4
- (no CPE)range: < 4.8.5
3.0.0.0+ 6 more
- (no CPE)range: 3.0.0.0
- (no CPE)range: 4.7.0
- (no CPE)range: 4.7.0
- (no CPE)range: 10.0.0.0
- (no CPE)range: 10.0.0.0
- (no CPE)range: 4.8.0
- (no CPE)range: 4.8.0.0
- Microsoft/Nuget 2.1.2v5Range: 1.0.0
- Microsoft/Nuget 4.8.5v5Range: 1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-8g2p-5pqh-5jmcghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2022-41064ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2022-41064ghsaADVISORY
- github.com/dotnet/corefx/security/advisories/GHSA-8g2p-5pqh-5jmcghsaWEB
- github.com/dotnet/runtime/issues/78042ghsaWEB
- www.nuget.org/packages/Microsoft.Data.SqlClientghsaWEB
News mentions
0No linked articles in our index yet.