CoreWCF NetFraming based services can leave connections open when they should be closed
Description
CoreWCF is a port of the service side of Windows Communication Foundation (WCF) to .NET Core. If you have a NetFraming based CoreWCF service, extra system resources could be consumed by connections being left established instead of closing or aborting them. There are two scenarios when this can happen. When a client established a connection to the service and sends no data, the service will wait indefinitely for the client to initiate the NetFraming session handshake. Additionally, once a client has established a session, if the client doesn't send any requests for the period of time configured in the binding ReceiveTimeout, the connection is not properly closed as part of the session being aborted. The bindings affected by this behavior are NetTcpBinding, NetNamedPipeBinding, and UnixDomainSocketBinding. Only NetTcpBinding has the ability to accept non local connections. The currently supported versions of CoreWCF are v1.4.x and v1.5.x. The fix can be found in v1.4.2 and v1.5.2 of the CoreWCF packages. Users are advised to upgrade. There are no workarounds for this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CoreWCF NetFraming services leave connections open, leading to resource exhaustion; fixed in v1.4.2 and v1.5.2.
Vulnerability
Overview CVE-2024-28252 affects CoreWCF, a .NET Core port of Windows Communication Foundation (WCF). The issue lies in NetFraming-based bindings (NetTcpBinding, NetNamedPipeBinding, UnixDomainSocketBinding) which fail to properly close or abort connections under two conditions: when a client connects but sends no data, and when a client does not send requests within the configured ReceiveTimeout period [1][4]. This leaves connections established indefinitely, consuming extra system resources.
Attack
Vector An attacker can exploit this by establishing a connection and either sending no data or sending requests slower than the ReceiveTimeout, causing the service to hold the connection open indefinitely. Since only NetTcpBinding accepts non-local connections, remote exploitation is possible only via that binding [1][4]. No authentication is required to trigger the resource consumption, as the issue occurs during session handshake or idle session handling.
Impact
Successful exploitation leads to resource exhaustion on the server, as each unclosed connection consumes memory and socket resources. This can degrade service performance or cause denial-of-service (DoS) for legitimate clients [2]. The issue was reported with evidence that the server does not send a TCP RST packet on timeout, leaving clients unaware of the disconnection [2].
Mitigation
CoreWCF versions 1.4.x and 1.5.x are affected; the fix is included in releases 1.4.2 and 1.5.2 [1][3]. Users should upgrade to these versions immediately. There are no workarounds [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
CoreWCF.NetFramingBaseNuGet | >= 1.4.0, < 1.4.2 | 1.4.2 |
CoreWCF.NetFramingBaseNuGet | >= 1.5.0, < 1.5.2 | 1.5.2 |
Affected products
3Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-32jq-mv89-5rx7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-28252ghsaADVISORY
- github.com/CoreWCF/CoreWCF/issues/1345ghsax_refsource_MISCWEB
- github.com/CoreWCF/CoreWCF/security/advisories/GHSA-32jq-mv89-5rx7ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.