.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
Description
.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
.NET, .NET Framework, and Visual Studio are vulnerable to a denial of service via hash flooding in System.Security.Cryptography.Cose, System.IO.Packaging, and Microsoft.Extensions.Caching.Memory.
Vulnerability
Overview
CVE-2024-43483 is a denial of service vulnerability affecting .NET, .NET Framework, and Visual Studio. The root cause lies in three specific libraries: System.Security.Cryptography.Cose, System.IO.Packaging, and Microsoft.Extensions.Caching.Memory [2]. These components are susceptible to hash flooding attacks, a class of algorithmic complexity attack that can cause excessive CPU consumption when processing hostile input [2].
Exploitation and
Attack Surface
An attacker can exploit this vulnerability by sending specially crafted input to an application that uses any of the affected libraries [2]. The attack does not require authentication or special privileges; it is network-based and can be triggered remotely. The vulnerable packages are used in various .NET application types, including web services, desktop applications, and cloud-native workloads [2][3]. The affected versions span .NET 6, 8, and 9 preview releases, as well as the final releases of .NET 6.0 and 8.0 [2].
Impact
Successful exploitation results in a denial of service condition. The targeted application or service may become unresponsive or crash due to resource exhaustion from the hash flooding attack [2]. This can lead to service disruption for legitimate users, potentially impacting availability in production environments [2].
Mitigation
Status
Microsoft has released patched versions of all affected packages to address this vulnerability [2]. Developers should update to the following minimum versions: .NET 8.0.1, .NET 6.0.2 for System.IO.Packaging and Microsoft.Extensions.Caching.Memory (.NET 6.0.1 for System.Security.Cryptography.Cose is not listed, but .NET 6.0.33 SDK includes the fix), and .NET 9.0-rc.2 for preview users [2]. No mitigating factors have been identified [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
System.Security.Cryptography.CoseNuGet | >= 9.0.0-preview.1.24080.9, < 9.0.0-rc.2.24473.5 | 9.0.0-rc.2.24473.5 |
System.IO.PackagingNuGet | >= 9.0.0-preview.1.24080.9, < 9.0.0-rc.2.24473.5 | 9.0.0-rc.2.24473.5 |
System.Security.Cryptography.CoseNuGet | >= 8.0.0-preview.1.23110.8, < 8.0.1 | 8.0.1 |
System.IO.PackagingNuGet | >= 6.0.0-preview.1.21102.12, < 6.0.1 | 6.0.1 |
System.IO.PackagingNuGet | >= 8.0.0-preview.1.23110.8, < 8.0.1 | 8.0.1 |
Microsoft.Extensions.Caching.MemoryNuGet | >= 8.0.0-preview.1.23110.8, < 8.0.1 | 8.0.1 |
Microsoft.Extensions.Caching.MemoryNuGet | >= 9.0.0-preview.1.24080.9, < 9.0.0-rc.2.24473.5 | 9.0.0-rc.2.24473.5 |
Microsoft.Extensions.Caching.MemoryNuGet | >= 6.0.0-preview.1.21102.12, < 6.0.2 | 6.0.2 |
Affected products
48- osv-coords29 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.extensions.caching.memorypkg:nuget/system.io.packagingpkg:nuget/system.security.cryptography.cosepkg:rpm/almalinux/aspnetcore-runtime-6.0pkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-6.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-6.0pkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-6.0pkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-runtime-6.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-6.0pkg:rpm/almalinux/dotnet-sdk-6.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-targeting-pack-6.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-templates-6.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 6.0.0, < 6.0.35+ 28 more
- (no CPE)range: >= 6.0.0, < 6.0.35
- (no CPE)range: >= 6.0.0, < 6.0.35
- (no CPE)range: >= 8.0.0-preview.1.23110.8, < 8.0.1
- (no CPE)range: >= 9.0.0-preview.1.24080.9, < 9.0.0-rc.2.24473.5
- (no CPE)range: >= 9.0.0-preview.1.24080.9, < 9.0.0-rc.2.24473.5
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.135-1.el8_10
- (no CPE)range: < 6.0.135-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.135-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- Microsoft/Microsoft .NET Framework 2.0 Service Pack 2v5Range: 2.0.0
- Microsoft/Microsoft .NET Framework 3.0 Service Pack 2v5Range: 3.0.0
- Microsoft/Microsoft .NET Framework 3.5v5Range: 3.5.0
- Microsoft/Microsoft .NET Framework 3.5.1v5Range: 3.5.0
- Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2v5Range: 4.7.0
- Microsoft/Microsoft .NET Framework 3.5 AND 4.8v5Range: 4.8.0
- Microsoft/Microsoft .NET Framework 3.5 AND 4.8.1v5Range: 4.8.1
- Microsoft/Microsoft .NET Framework 4.6.2v5Range: 4.7.0
- Microsoft/Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2v5Range: 4.7.0
- Microsoft/Microsoft .NET Framework 4.6/4.6.2v5Range: 10.0.0.0
- Microsoft/Microsoft .NET Framework 4.8v5Range: 4.8.0
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10
- Microsoft/Microsoft Visual Studio 2022 version 17.11v5Range: 17.11
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET 8.0v5Range: 8.0.0
- Microsoft/PowerShell 7.2v5Range: 7.2.0
- Microsoft/PowerShell 7.4v5Range: 7.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qj66-m88j-hmgjghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43483ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-43483ghsaADVISORY
- github.com/dotnet/runtime/security/advisories/GHSA-qj66-m88j-hmgjghsaWEB
News mentions
0No linked articles in our index yet.