VYPR
← All advisories
High severityNVD Advisory· Published Jun 13, 2023· Updated Jan 1, 2025

.NET and Visual Studio Remote Code Execution Vulnerability

CVE-2023-33128

Description

.NET and Visual Studio Remote Code Execution Vulnerability

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A vulnerability in .NET source generator for P/Invokes can cause uninitialized memory to be freed, potentially leading to remote code execution.

Vulnerability

Overview

The vulnerability, identified as CVE-2023-33128, resides in the .NET source generator for Platform Invocation Services (P/Invokes). The issue occurs when the generated code frees uninitialized memory, leading to memory corruption and potentially a crash or remote code execution [1][2]. This affects .NET 7.0 SDK versions prior to 7.0.106 (1xx) and 7.0.303 (3xx), as well as corresponding runtime packages [1][2].

Exploitation

Prerequisites

Exploitation requires an attacker to craft a malicious P/Invoke call that triggers the vulnerable code path. No authentication is needed, but the attacker must be able to supply input to the P/Invoke generator. The vulnerability is present in the source generator, meaning any application using affected .NET versions that generates P/Invoke code at compile time could be vulnerable [1][2]. Microsoft has identified no mitigating factors [1].

Impact

Successful exploitation could allow an attacker to execute arbitrary code in the context of the application. The official advisory rates this as a Remote Code Execution vulnerability, though the immediate consequence of triggering the bug is a memory corruption that could be leveraged for more severe impacts [1][4].

Mitigation

Microsoft has released patched versions of .NET 7.0 (SDK 7.0.107 and 7.0.304, runtime packages 7.0.7) to address this vulnerability. Users are advised to update their .NET SDK and runtime to the latest version. Visual Studio users will be prompted to update [1][2]. No workarounds are available [1].

References
  1. Microsoft Security Advisory CVE-2023-33128: .NET Remote Code Execution Vulnerability
  2. Microsoft Security Advisory CVE-2023-33128: .NET Remote Code Execution Vulnerability
  3. NVD - CVE-2023-33128

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.NETCore.App.Runtime.linux-armNuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NETCore.App.Runtime.linux-arm64NuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NETCore.App.Runtime.linux-musl-armNuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NETCore.App.Runtime.linux-musl-arm64NuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NETCore.App.Runtime.linux-musl-x64NuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NETCore.App.Runtime.linux-x64NuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NETCore.App.Runtime.osx-arm64NuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NETCore.App.Runtime.osx-x64NuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NETCore.App.Runtime.win-armNuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NETCore.App.Runtime.win-arm64NuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NETCore.App.Runtime.win-x64NuGet
>= 7.0.0, < 7.0.77.0.7
Microsoft.NETCore.App.Runtime.win-x86NuGet
>= 7.0.0, < 7.0.77.0.7

Affected products

42

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.