.NET and Visual Studio Remote Code Execution Vulnerability
Description
.NET and Visual Studio Remote Code Execution Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in ASP.NET Core's HTTP/3 stream handling allows remote code execution when closing a stream while writing a response body.
Vulnerability
Overview
CVE-2024-38229 is a remote code execution vulnerability in Microsoft ASP.NET Core, affecting .NET 8.0 and .NET 9.0. The root cause is a race condition in Kestrel's HTTP/3 stream lifecycle: when an HTTP/3 stream is closed while application code is concurrently writing to the response body, a use-after-free condition can occur. [3][4]
Exploitation
Scenario
The vulnerability is exposed only to applications that have explicitly enabled HTTP/3 support on the Kestrel web server. HTTP/3 is not enabled by default in ASP.NET Core [3][4]. The attack surface is minimal unless a developer configures Kestrel endpoints to use HTTP/3 via appsettings.json or code [1][2]. An unauthenticated remote attacker who can send crafted HTTP/3 requests to a vulnerable server could trigger the race condition.
Impact
Successful exploitation could lead to remote code execution (RCE) in the context of the application pool. The attacker would gain the ability to execute arbitrary code on the server, potentially leading to full system compromise. The advisory confirms this is a use-after-free bug, which is notoriously exploitable for RCE. [3][4]
Mitigation
Microsoft has released patches for .NET 8.0 (update to 8.0.10 or later) and .NET 9.0 RC 1 (update to RC 2 or later). .NET 6.0 is not receiving a fix because HTTP/3 remains experimental and unsupported in that release, so users should upgrade to a supported version. [3][4] Developers should immediately update affected packages (Microsoft.AspNetCore.App.Runtime.*) and ensure HTTP/3 is disabled if not required.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.linux-armNuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.linux-arm64NuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.linux-musl-armNuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.linux-musl-arm64NuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.linux-musl-x64NuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.linux-x64NuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.osx-arm64NuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.osx-x64NuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.win-armNuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.win-arm64NuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.win-x64NuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3 | 9.0.0-rc.2.24474.3 |
Microsoft.AspNetCore.App.Runtime.win-x86NuGet | >= 8.0.0, < 8.0.10 | 8.0.10 |
Affected products
34- osv-coords29 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.aspnetcore.app.runtime.linux-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-armpkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.aspnetcore.app.runtime.linux-x64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.osx-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-armpkg:nuget/microsoft.aspnetcore.app.runtime.win-arm64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x64pkg:nuget/microsoft.aspnetcore.app.runtime.win-x86pkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 8.0.0, < 8.0.10+ 28 more
- (no CPE)range: >= 8.0.0, < 8.0.10
- (no CPE)range: >= 8.0.0, < 8.0.10
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: >= 9.0.0-preview.1.24081.5, < 9.0.0-rc.2.24474.3
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10
- Microsoft/Microsoft Visual Studio 2022 version 17.11v5Range: 17.11
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 8.0v5Range: 8.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-7vw9-cfwx-9gx9ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38229ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-38229ghsaADVISORY
- github.com/dotnet/announcements/issues/326ghsaWEB
- github.com/dotnet/aspnetcore/issues/58297ghsaWEB
- github.com/dotnet/aspnetcore/security/advisories/GHSA-7vw9-cfwx-9gx9ghsaWEB
- learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel/endpointsghsaWEB
- learn.microsoft.com/en-us/aspnet/core/fundamentals/servers/kestrel/http3ghsaWEB
- www.herodevs.com/vulnerability-directory/cve-2024-38229ghsaWEB
News mentions
0No linked articles in our index yet.