.NET and Visual Studio Remote Code Execution Vulnerability
Description
.NET and Visual Studio Remote Code Execution Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
.NET 9.0 remote code execution vulnerability in the NrbfDecoder component allows unauthenticated attackers to execute arbitrary code via specially crafted requests.
Vulnerability
Overview CVE-2024-43498 is a remote code execution vulnerability in .NET 9.0, specifically affecting the System.Formats.Nrbf component, including versions prior to 9.0.0. The flaw resides in the NrbfDecoder, which is used for deserializing data in the NRBF format. By default, .NET console and web applications do not reference this component, limiting the attack surface to applications that explicitly use it [1].
Exploitation
Method An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted requests to a .NET web application that uses the vulnerable component, or by loading a specially crafted file into a vulnerable application. No authentication is required to trigger the vulnerability, making it accessible from the network [1].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the target system with the same privileges as the application process. This could lead to full compromise of the affected system, including data theft, installation of malware, or further lateral movement within the network [1].
Mitigation
Status Microsoft has released a patch in .NET 9.0.0 to address the vulnerability. Developers are advised to update their .NET SDK and runtime to version 9.0.0 or later, and to update the System.Formats.Nrbf package to version 9.0.0 if referenced in their projects. The advisory notes that upgrading to 9.0 GA alone may not be sufficient if the vulnerable package is still referenced [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
System.Formats.NrbfNuGet | < 9.0.0 | 9.0.0 |
Affected products
49- osv-coords43 versionspkg:apk/chainguard/aspnet-9-runtimepkg:apk/chainguard/aspnet-9-runtime-defaultpkg:apk/chainguard/aspnet-9-targeting-packpkg:apk/chainguard/dotnet-9pkg:apk/chainguard/dotnet-9-aotpkg:apk/chainguard/dotnet-9-runtimepkg:apk/chainguard/dotnet-9-runtime-defaultpkg:apk/chainguard/dotnet-9-sdkpkg:apk/chainguard/dotnet-9-sdk-defaultpkg:apk/chainguard/dotnet-9-targeting-packpkg:apk/chainguard/dotnet-bootstrap-9pkg:apk/chainguard/netstandard-9-targeting-packpkg:apk/wolfi/aspnet-9-runtimepkg:apk/wolfi/aspnet-9-runtime-defaultpkg:apk/wolfi/aspnet-9-targeting-packpkg:apk/wolfi/dotnet-9pkg:apk/wolfi/dotnet-9-aotpkg:apk/wolfi/dotnet-9-runtimepkg:apk/wolfi/dotnet-9-runtime-defaultpkg:apk/wolfi/dotnet-9-sdkpkg:apk/wolfi/dotnet-9-sdk-defaultpkg:apk/wolfi/dotnet-9-targeting-packpkg:apk/wolfi/dotnet-bootstrap-9pkg:apk/wolfi/netstandard-9-targeting-packpkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:deb/ubuntu/dotnet9@9.0.100-9.0.0-0ubuntu1~24.10.1?arch=source&distro=oracularpkg:nuget/system.formats.nrbfpkg:rpm/almalinux/aspnetcore-runtime-9.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-9.0pkg:rpm/almalinux/aspnetcore-targeting-pack-9.0pkg:rpm/almalinux/dotnet-apphost-pack-9.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-9.0pkg:rpm/almalinux/dotnet-runtime-9.0pkg:rpm/almalinux/dotnet-runtime-dbg-9.0pkg:rpm/almalinux/dotnet-sdk-9.0pkg:rpm/almalinux/dotnet-sdk-9.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-aot-9.0pkg:rpm/almalinux/dotnet-sdk-dbg-9.0pkg:rpm/almalinux/dotnet-targeting-pack-9.0pkg:rpm/almalinux/dotnet-templates-9.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
< 9.0.2-r0+ 42 more
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.200-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.200-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: < 9.0.100-9.0.0-0ubuntu1~24.10.1
- (no CPE)range: < 9.0.0
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10
- Microsoft/Microsoft Visual Studio 2022 version 17.11v5Range: 17.11
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 9.0v5Range: 9.0.0
- Microsoft/PowerShell 7.5v5Range: 7.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-v7vf-f5q6-m899ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43498ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-43498ghsaADVISORY
- github.com/dotnet/runtime/security/advisories/GHSA-v7vf-f5q6-m899ghsaWEB
News mentions
0No linked articles in our index yet.