.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
Description
.NET, .NET Framework, and Visual Studio Denial of Service Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in .NET's System.IO.Packaging library allows untrusted inputs to trigger algorithmically complex operations, crashing the application.
Vulnerability
Overview
CVE-2024-43484 is a denial of service vulnerability affecting .NET, .NET Framework, and Visual Studio, specifically within the System.IO.Packaging library. The root cause is that the library may allow untrusted inputs to influence algorithmically complex operations, leading to excessive resource consumption and a denial of service condition [1][2]. Microsoft has not identified any mitigating factors for this vulnerability [2].
Exploitation and
Attack Surface
An attacker can exploit this vulnerability by providing specially crafted input to an application that uses the affected System.IO.Packaging library. No authentication is required, and the attack can be performed remotely if the application processes untrusted data. The vulnerability is present in .NET 6, .NET 8, and .NET 9 preview/RC versions, as well as corresponding Visual Studio installations [2][3].
Impact
Successful exploitation results in a denial of service, causing the affected application or service to become unresponsive or crash. This can disrupt availability for users relying on the software. The vulnerability does not lead to data compromise or privilege escalation; the impact is limited to availability [1].
Mitigation
Microsoft has released patches for the affected packages. Users should update System.IO.Packaging to the following patched versions: .NET 9: 9.0.0-rc.2.24473.5, .NET 8: 8.0.1, .NET 6: 6.0.1. Visual Studio users will be prompted to update via the IDE. No workarounds are available [2][4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
System.IO.PackagingNuGet | >= 9.0.0-preview.1.24080.9, < 9.0.0-rc.2.24473.5 | 9.0.0-rc.2.24473.5 |
System.IO.PackagingNuGet | >= 8.0.0-preview.1.23110.8, < 8.0.1 | 8.0.1 |
System.IO.PackagingNuGet | >= 6.0.0-preview.1.21102.12, < 6.0.1 | 6.0.1 |
Affected products
46- osv-coords27 versionspkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/system.io.packagingpkg:rpm/almalinux/aspnetcore-runtime-6.0pkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-6.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-6.0pkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-6.0pkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-runtime-6.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-6.0pkg:rpm/almalinux/dotnet-sdk-6.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-targeting-pack-6.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-templates-6.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
>= 6.0.0, < 6.0.35+ 26 more
- (no CPE)range: >= 6.0.0, < 6.0.35
- (no CPE)range: >= 6.0.0, < 6.0.35
- (no CPE)range: >= 9.0.0-preview.1.24080.9, < 9.0.0-rc.2.24473.5
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.135-1.el8_10
- (no CPE)range: < 6.0.135-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 6.0.35-1.el8_10
- (no CPE)range: < 8.0.10-1.el8_10
- (no CPE)range: < 6.0.135-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- (no CPE)range: < 8.0.110-1.el8_10
- Microsoft/Microsoft .NET Framework 2.0 Service Pack 2v5Range: 2.0.0
- Microsoft/Microsoft .NET Framework 3.0 Service Pack 2v5Range: 3.0.0
- Microsoft/Microsoft .NET Framework 3.5v5Range: 3.5.0
- Microsoft/Microsoft .NET Framework 3.5.1v5Range: 3.5.0
- Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2v5Range: 4.7.0
- Microsoft/Microsoft .NET Framework 3.5 AND 4.8v5Range: 4.8.0
- Microsoft/Microsoft .NET Framework 3.5 AND 4.8.1v5Range: 4.8.1
- Microsoft/Microsoft .NET Framework 4.6.2v5Range: 4.7.0
- Microsoft/Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2v5Range: 4.7.0
- Microsoft/Microsoft .NET Framework 4.6/4.6.2v5Range: 10.0.0.0
- Microsoft/Microsoft .NET Framework 4.8v5Range: 4.8.0
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10
- Microsoft/Microsoft Visual Studio 2022 version 17.11v5Range: 17.11
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 6.0v5Range: 6.0.0
- Microsoft/.NET 8.0v5Range: 8.0.0
- Microsoft/PowerShell 7.2v5Range: 7.2.0
- Microsoft/PowerShell 7.4v5Range: 7.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-f32c-w444-8ppvghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43484ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-43484ghsaADVISORY
- github.com/dotnet/announcements/issues/328ghsaWEB
- github.com/dotnet/runtime/issues/108676ghsaWEB
- github.com/dotnet/runtime/security/advisories/GHSA-f32c-w444-8ppvghsaWEB
- security.netapp.com/advisory/ntap-20250328-0007ghsaWEB
News mentions
0No linked articles in our index yet.