VYPR
← All advisories
High severityNVD Advisory· Published Jun 14, 2023· Updated Jan 1, 2025

.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

CVE-2023-24897

Description

.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap overflow in the MSDIA SDK when processing corrupted PDB files enables remote code execution in .NET 6.0/7.0 applications.

Root

Cause

The vulnerability is a heap overflow in the Microsoft Debug Interface Access (MSDIA) SDK, a component used to read program database (PDB) symbol files. When a corrupted PDB file is parsed, the MSDIA SDK fails to properly validate bounds, leading to a heap overflow. This can result in a crash or arbitrary code execution [1][2].

Exploitation

An attacker must supply a maliciously crafted PDB file to an application that uses the affected .NET runtime. No authentication is required, but the victim must load the corrupt PDB (e.g., by debugging or processing symbols). The attack surface is limited to scenarios where untrusted PDB files are ingested [1][2].

Impact

Successful exploitation allows remote code execution in the context of the vulnerable application. An attacker could execute arbitrary code, potentially gaining full control of the affected system. The vulnerability is rated CRITICAL with a CVSS score of 9.8 [3].

Mitigation

Microsoft has released updates to address this vulnerability. Affected runtimes: .NET 7.0.5 and earlier must update to 7.0.7; .NET 6.0.16 and earlier must update to 6.0.18. No mitigating factors have been identified, and no workarounds are available [1][2]. Developers should update their applications immediately.

References
  1. Microsoft Security Advisory CVE-2023-24897: .NET Remote Code Execution Vulnerability
  2. Microsoft Security Advisory CVE-2023-24897: .NET Remote Code Execution Vulnerability
  3. NVD - CVE-2023-24897

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.NetCore.App.Runtime.win-armNuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NetCore.App.Runtime.win-arm64NuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NetCore.App.Runtime.win-x64NuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NetCore.App.Runtime.win-x86NuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NetCore.App.Runtime.win-armNuGet
>= 6.0.0, < 6.0.186.0.18
Microsoft.NetCore.App.Runtime.win-arm64NuGet
>= 6.0.0, < 6.0.186.0.18
Microsoft.NetCore.App.Runtime.win-x64NuGet
>= 6.0.0, < 6.0.186.0.18
Microsoft.NetCore.App.Runtime.win-x86NuGet
>= 6.0.0, < 6.0.186.0.18

Affected products

25
  • osv-coords6 versions
    pkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.netcore.app.runtime.win-armpkg:nuget/microsoft.netcore.app.runtime.win-arm64pkg:nuget/microsoft.netcore.app.runtime.win-x64pkg:nuget/microsoft.netcore.app.runtime.win-x86
    >= 6.0.0, < 6.0.1+ 5 more
    • (no CPE)range: >= 6.0.0, < 6.0.1
    • (no CPE)range: >= 6.0.0, < 6.0.1
    • (no CPE)range: >= 7.0.0, < 7.0.7
    • (no CPE)range: >= 7.0.0, < 7.0.7
    • (no CPE)range: >= 7.0.0, < 7.0.7
    • (no CPE)range: >= 7.0.0, < 7.0.7
  • Microsoft/Microsoft .NET Framework 3.5 and 4.6.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2v5
    Range: 3.0.0.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8v5
    Range: 4.8.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8.1v5
    Range: 4.8.1
  • Microsoft/Microsoft .NET Framework 4.6.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 4.8v5
    Range: 4.8.0
  • Microsoft/Microsoft Visual Studio 2013 Update 5v5
    Range: 12.0.0
  • Microsoft/Microsoft Visual Studio 2015 Update 3v5
    Range: 14.0.0
  • Microsoft/Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)v5
    Range: 15.9.0
  • Microsoft/Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)v5
    Range: 16.11.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.0v5
    Range: 17.0.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.2v5
    Range: 17.2.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.4v5
    Range: 17.4.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.6v5
    Range: 17.6.0
  • Microsoft/.NET 6.0v5
    Range: 6.0.0
  • Microsoft/.NET 7.0v5
    Range: 7.0.0
  • Microsoft/PowerShell 7.2v5
    Range: 7.2.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.