.NET and Visual Studio Denial of Service Vulnerability
Description
.NET and Visual Studio Denial of Service Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated attacker can trigger a denial of service in ASP.NET Core applications using HTTP.sys on Windows by sending crafted requests, affecting .NET 8.0.7 and earlier.
Vulnerability
Details CVE-2024-38168 is a denial of service vulnerability in .NET and Visual Studio, specifically affecting ASP.NET Core applications running on the Windows HTTP.sys web server. The vulnerability exists in the way HTTP.sys handles certain unauthenticated requests, leading to resource exhaustion or crash. This issue is limited to Windows operating systems and does not affect cross-platform deployments [1].
Exploitation
An attacker can exploit this vulnerability by sending specially crafted, unauthenticated HTTP requests to an affected ASP.NET Core application. No authentication or prior access is required; the attack can be performed remotely over the network. The vulnerability is triggered at the HTTP.sys level, making it accessible to any client that can reach the server [1].
Impact
Successful exploitation results in a denial of service condition, causing the web server to become unresponsive or crash. This can disrupt service availability for legitimate users. The vulnerability is rated with a CVSS score (not provided in references but typical for DoS) and has no identified mitigating factors [1].
Mitigation
Microsoft has released patches for .NET 8.0 (version 8.0.8) that address this vulnerability. Affected packages include Microsoft.AspNetCore.App.Runtime.win-* versions prior to 8.0.8. Developers should update their .NET SDK or runtime to the latest version. Visual Studio users will be prompted to update. No workarounds are available [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 8.0.0, < 8.0.8 | 8.0.8 |
Affected products
10- osv-coords6 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.aspnetcore.app.runtime.win-armpkg:nuget/microsoft.aspnetcore.app.runtime.win-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86
>= 8.0.0, < 8.0.8+ 5 more
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- (no CPE)range: >= 8.0.0, < 8.0.8
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 8.0v5Range: 8.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-7qrv-8f9x-3h32ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38168ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-38168ghsaADVISORY
- github.com/dotnet/aspnetcore/security/advisories/GHSA-7qrv-8f9x-3h32ghsaWEB
News mentions
0No linked articles in our index yet.