.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability

Vulnerability

Overview

CVE-2024-21409 is a use-after-free vulnerability in Windows Presentation Foundation (WPF), a .NET UI framework for building Windows desktop applications [3]. The flaw occurs when WPF processes untrusted documents, leading to a use-after-free condition that can be exploited for remote code execution [1][2]. This issue affects .NET 6.0 (up to 6.0.28), .NET 7.0 (up to 7.0.17), and .NET 8.0 (up to 8.0.3) on Windows systems [2].

Exploitation

Conditions

An attacker can trigger the vulnerability by convincing a user to open a specially crafted, untrusted document in a WPF-based application [2]. No authentication or special privileges are required beyond user interaction. The attack surface is limited to WPF applications running on Windows; the vulnerability does not affect non-WPF .NET workloads or cross-platform scenarios [2].

Impact

Successful exploitation allows an attacker to execute arbitrary code in the context of the logged-on user [1]. Depending on the user's privileges, this could result in data disclosure, system compromise, or further lateral movement within the network. Microsoft has assessed the severity as high, with a CVSS v3.1 base score of 7.8 [1].

Mitigation

Microsoft has released patched versions for all affected .NET runtimes and SDKs: .NET 6.0.29, .NET 7.0.18, and .NET 8.0.4 [2]. Developers should update their applications to these versions or later. For package-based deployments, the affected NuGet packages (Microsoft.WindowsDesktop.App.Runtime) have been updated accordingly [2]. There are no workarounds; applying the patch is the only recommended mitigation.