VYPR
← All advisories
High severityNVD Advisory· Published Sep 12, 2023· Updated Oct 30, 2025

Visual Studio Remote Code Execution Vulnerability

CVE-2023-36794

Description

Visual Studio Remote Code Execution Vulnerability

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A remote code execution vulnerability in .NET 6.0 and 7.0 on Windows due to memory corruption when processing a crafted PDB file via Microsoft.DiaSymReader.Native.amd64.dll.

Vulnerability

Overview

CVE-2023-36794 is a remote code execution vulnerability affecting .NET 6.0 and .NET 7.0 on Windows systems. The flaw resides in the Microsoft.DiaSymReader.Native.amd64.dll component, which is part of the .NET runtime used for reading debug symbol (PDB) files. When a specifically corrupted PDB file is opened, the parser mishandles the malformed data, leading to memory corruption that an attacker can leverage to execute arbitrary code [1][2].

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must convince a user or an automated process to load a malicious PDB file into an affected .NET application. The attack does not require authentication but relies on social engineering or a compromised build pipeline to deliver the crafted PDB. Because the vulnerable code only runs on Windows, the attack surface is limited to Windows-based .NET deployments [1][2].

Impact

Successful exploitation grants the attacker the ability to execute arbitrary code in the context of the targeted .NET process. This could lead to full compromise of the application, data theft, or further lateral movement within the network if the process runs with elevated privileges. The vulnerability is classified as Critical with a CVSS score indicating high impact on confidentiality, integrity, and availability [1][3].

Mitigation

Status

Microsoft has released updated .NET SDK and runtime packages that address this vulnerability. The affected versions are .NET 7.0.10 and earlier, and .NET 6.0.21 and earlier. Patched versions are .NET 7.0.11 and .NET 6.0.22. Developers should update their .NET installations and rebuild any applications that use the affected packages. Visual Studio users will be prompted to update, which automatically includes the patched runtime [1][2].

References
  1. Microsoft Security Advisory CVE-2023-36794: .NET Remote Code Execution Vulnerability
  2. Microsoft Security Advisory CVE-2023-36794: .NET Remote Code Execution Vulnerability
  3. NVD - CVE-2023-36794

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
Microsoft.NETCore.App.Runtime.win-arm64NuGet
>= 7.0.0, < 7.0.117.0.11
Microsoft.NETCore.App.Runtime.win-arm64NuGet
>= 6.0.0, < 6.0.226.0.22
Microsoft.NETCore.App.Runtime.win-x64NuGet
>= 7.0.0, < 7.0.117.0.11
Microsoft.NETCore.App.Runtime.win-x64NuGet
>= 6.0.0, < 6.0.226.0.22
Microsoft.NETCore.App.Runtime.win-x86NuGet
>= 6.0.0, < 6.0.226.0.22
Microsoft.NETCore.App.Runtime.win-x86NuGet
>= 7.0.0, < 7.0.117.0.11

Affected products

26
  • osv-coords5 versions
    pkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.netcore.app.runtime.win-arm64pkg:nuget/microsoft.netcore.app.runtime.win-x64pkg:nuget/microsoft.netcore.app.runtime.win-x86
    >= 6.0.0, < 6.0.1+ 4 more
    • (no CPE)range: >= 6.0.0, < 6.0.1
    • (no CPE)range: >= 6.0.0, < 6.0.1
    • (no CPE)range: >= 7.0.0, < 7.0.11
    • (no CPE)range: >= 7.0.0, < 7.0.11
    • (no CPE)range: >= 6.0.0, < 6.0.22
  • Microsoft/Microsoft .NET Framework 2.0 Service Pack 2v5
    Range: 2.0.0
  • Microsoft/Microsoft .NET Framework 3.0 Service Pack 2v5
    Range: 3.0.0
  • Microsoft/Microsoft .NET Framework 3.5v5
    Range: 3.5.0
  • Microsoft/Microsoft .NET Framework 3.5.1v5
    Range: 3.5.0
  • Microsoft/Microsoft .NET Framework 3.5 and 4.6.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2v5
    Range: 3.0.0.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8v5
    Range: 4.8.0
  • Microsoft/Microsoft .NET Framework 3.5 AND 4.8.1v5
    Range: 4.8.1
  • Microsoft/Microsoft .NET Framework 4.6.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2v5
    Range: 4.7.0
  • Microsoft/Microsoft .NET Framework 4.8v5
    Range: 4.8.0
  • Microsoft/Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)v5
    Range: 15.9.0
  • Microsoft/Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)v5
    Range: 16.11.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.2v5
    Range: 17.2.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.4v5
    Range: 17.4.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.6v5
    Range: 17.6.0
  • Microsoft/Microsoft Visual Studio 2022 version 17.7v5
    Range: 17.7.0
  • Microsoft/.NET 6.0v5
    Range: 6.0.0
  • Microsoft/.NET 7.0v5
    Range: 7.0.0
  • Microsoft/PowerShell 7.2v5
    Range: 7.2.0

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

5

News mentions

0

No linked articles in our index yet.