VYPR
← All advisories
High severityNVD Advisory· Published Sep 12, 2023· Updated Oct 30, 2025

Visual Studio Remote Code Execution Vulnerability

CVE-2023-36793

Description

Visual Studio Remote Code Execution Vulnerability

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A buffer over-read in Microsoft.DiaSymReader.Native.amd64.dll when processing corrupted PDB files leads to remote code execution on .NET 6/7 on Windows.

Root

Cause

The vulnerability resides in Microsoft.DiaSymReader.Native.amd64.dll and is triggered when the component reads a corrupted Program Database (PDB) file. The flaw is a buffer over-read condition, which occurs due to improper validation of input data during the parsing of the PDB file format [1].

Exploitation

An attacker would need to deliver a specially crafted, corrupted PDB file to a target application that uses the vulnerable version of .NET (6.0.21 or earlier, 7.0.10 or earlier) on a Windows system. The PDB file could be loaded by the .NET runtime during debugging or symbol resolution scenarios. No additional privileges are required beyond the ability to open the file, making this a low-complexity attack vector [1][2].

Impact

Successful exploitation could allow an attacker to execute arbitrary code in the context of the affected application. This could lead to full compromise of the system, including data theft, installation of malware, or further lateral movement. The advisory does not list any mitigating factors [1].

Mitigation

Microsoft has issued patches for both .NET 6.0 (update to 6.0.22 or later) and .NET 7.0 (update to 7.0.11 or later). Developers should update their SDKs and runtime packages via Visual Studio or direct package upgrade. The same patch also resolves related vulnerabilities CVE-2023-36792 and CVE-2023-36796. No workarounds are available [1][2].

References
  1. Microsoft Security Advisory CVE-2023-36793: .NET Remote Code Execution Vulnerability
  2. NVD - CVE-2023-36793

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.NETCore.App.Runtime.win-arm64NuGet
>= 7.0.0, < 7.0.117.0.11
Microsoft.NETCore.App.Runtime.win-arm64NuGet
>= 6.0.0, < 6.0.226.0.22
Microsoft.NETCore.App.Runtime.win-x64NuGet
>= 7.0.0, < 7.0.117.0.11
Microsoft.NETCore.App.Runtime.win-x64NuGet
>= 6.0.0, < 6.0.226.0.22
Microsoft.NETCore.App.Runtime.win-x86NuGet
>= 7.0.0, < 7.0.117.0.11
Microsoft.NETCore.App.Runtime.win-x86NuGet
>= 6.0.0, < 6.0.226.0.22

Affected products

26
  • osv-coords5 versions
    pkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.netcore.app.runtime.win-arm64pkg:nuget/microsoft.netcore.app.runtime.win-x64pkg:nuget/microsoft.netcore.app.runtime.win-x86
    >= 6.0.0, < 6.0.1+ 4 more
    • (no CPE)range: >= 6.0.0, < 6.0.1
    • (no CPE)range: >= 6.0.0, < 6.0.1
    • (no CPE)range: >= 7.0.0, < 7.0.11
    • (no CPE)range: >= 7.0.0, < 7.0.11
    • (no CPE)range: >= 7.0.0, < 7.0.11
  • Microsoft/Microsoft .NET Framework 2.0 Service Pack 2v5
    Range: 2.0.0
  • Microsoft/Microsoft .NET Framework 3.0 Service Pack 2v5
    Range: 3.0.0
  • Microsoft/Microsoft .NET Framework 3.5v5
    Range: 3.5.0
  • Microsoft/Microsoft .NET Framework 3.5.1v5
    Range: 3.5.0
  • Microsoft/Microsoft .NET Framework 3.5 and 4.6.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2v5
    Range: 3.0.0.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8v5
    Range: 4.8.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8.1v5
    Range: 4.8.1
  • Microsoft/Microsoft .NET Framework 4.6.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 4.8v5
    Range: 4.8.0
  • Microsoft/Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)v5
    Range: 15.9.0
  • Microsoft/Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)v5
    Range: 16.11.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.2v5
    Range: 17.2.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.4v5
    Range: 17.4.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.6v5
    Range: 17.6.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.7v5
    Range: 17.7.0
  • Microsoft/.NET 6.0v5
    Range: 6.0.0
  • Microsoft/.NET 7.0v5
    Range: 7.0.0
  • Microsoft/PowerShell 7.2v5
    Range: 7.2.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.