.NET and Visual Studio Information Disclosure Vulnerability
Description
.NET and Visual Studio Information Disclosure Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An information disclosure vulnerability in .NET 8.0's TlsStream component could leak sensitive data over TLS connections.
Vulnerability
Overview
CVE-2024-38167 is an information disclosure vulnerability that affects .NET 8.0 applications using the TlsStream runtime component. The vulnerability exists in the .NET runtime's handling of TLS streams, potentially allowing an attacker to access sensitive information that should remain protected during encrypted communications [1][2]. Microsoft has stated that no mitigating factors have been identified for this flaw, meaning the only effective defense is applying the available patch.
Attack
Vector and Exploitation
Exploitation of this vulnerability requires an affected .NET application to process network traffic over a TLS connection. The exact mechanisms of attack are not publicly detailed, but the vulnerability class (information disclosure via TlsStream) suggests that an attacker positioned on the network path between a client and server—or one who can coerce a victim application to connect to a malicious endpoint—could observe or extract data that should be protected by the TLS encryption [1][2]. No authentication is required for the attacker beyond network access, as the flaw resides in the runtime's handling of the TLS stream itself.
Impact
A successful exploit could allow an attacker to obtain sensitive information from the memory or stream of an affected .NET application. This could include credentials, application data, or other confidential material that the application transmits over TLS [1]. Because the vulnerability is in the core runtime component, it may affect a wide range of .NET 8.0 applications, including web servers, IoT services, and desktop tools, amplifying the potential for data breaches.
Mitigation
Microsoft has released updated packages for .NET 8.0 (version 8.0.8 and later) to address this vulnerability. Developers are urged to update the Microsoft.NetCore.App.Runtime.* packages and ensure their build environment has the latest .NET SDK [1][2]. No workarounds are available. Given the lack of mitigations and the potential for information disclosure, prompt patching is strongly recommended. The vulnerability has not been reported as exploited in the wild as of the advisory publication date.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.NetCore.App.Runtime.linux-armNuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.NetCore.App.Runtime.linux-arm64NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.NetCore.App.Runtime.linux-x64NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.NetCore.App.Runtime.osx-arm64NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.NetCore.App.Runtime.osx-x64NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.NetCore.App.Runtime.win-armNuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.NetCore.App.Runtime.win-arm64NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.NetCore.App.Runtime.win-x64NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.NetCore.App.Runtime.win-x86NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Affected products
33- osv-coords29 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.netcore.app.runtime.linux-armpkg:nuget/microsoft.netcore.app.runtime.linux-arm64pkg:nuget/microsoft.netcore.app.runtime.linux-musl-armpkg:nuget/microsoft.netcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.netcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.netcore.app.runtime.linux-x64pkg:nuget/microsoft.netcore.app.runtime.osx-arm64pkg:nuget/microsoft.netcore.app.runtime.osx-x64pkg:nuget/microsoft.netcore.app.runtime.win-armpkg:nuget/microsoft.netcore.app.runtime.win-arm64pkg:nuget/microsoft.netcore.app.runtime.win-x64pkg:nuget/microsoft.netcore.app.runtime.win-x86pkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 8.0.0, < 8.0.8+ 28 more
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: < 8.0.8-1.el9_4
- (no CPE)range: < 8.0.8-1.el9_4
- (no CPE)range: < 8.0.8-1.el9_4
- (no CPE)range: < 8.0.108-1.el8_10
- (no CPE)range: < 8.0.8-1.el9_4
- (no CPE)range: < 8.0.8-1.el9_4
- (no CPE)range: < 8.0.8-1.el9_4
- (no CPE)range: < 8.0.8-1.el9_4
- (no CPE)range: < 8.0.8-1.el9_4
- (no CPE)range: < 8.0.108-1.el9_4
- (no CPE)range: < 8.0.108-1.el9_4
- (no CPE)range: < 8.0.108-1.el9_4
- (no CPE)range: < 8.0.8-1.el9_4
- (no CPE)range: < 8.0.108-1.el9_4
- (no CPE)range: < 8.0.108-1.el9_4
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 8.0v5Range: 8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-3r34-r6w3-fqp6ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38167ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-38167ghsaADVISORY
- github.com/dotnet/runtime/issues/106359ghsaWEB
- github.com/dotnet/runtime/security/advisories/GHSA-3r34-r6w3-fqp6ghsaWEB
News mentions
0No linked articles in our index yet.