.NET and Visual Studio Denial of Service Vulnerability
Description
.NET and Visual Studio Denial of Service Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Incorrect input validation in .NET's NrbfDecoder component leads to a denial of service vulnerability, affecting applications using the System.Formats.Nrbf package.
The vulnerability exists in the NrbfDecoder component within the System.Formats.Nrbf package of .NET 9.0. Due to improper input validation, an attacker can cause a denial of service by providing specially crafted input to the decoder [1].
Attack
Vector Applications that explicitly use the NrbfDecoder are vulnerable. Default .NET console and web apps do not reference this component, limiting the attack surface. The attacker must supply malformed data to the NrbfDecoder, which could occur if the application processes untrusted binary data [1].
Impact
Successful exploitation results in a denial of service, potentially crashing the application or making it unresponsive [1].
Mitigation
Microsoft has released version 9.0.0 of the System.Formats.Nrbf package, which fixes the vulnerability. Developers should update their .NET SDK and package references to the patched version [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
System.Formats.NrbfNuGet | < 9.0.0 | 9.0.0 |
Affected products
49- osv-coords43 versionspkg:apk/chainguard/aspnet-9-runtimepkg:apk/chainguard/aspnet-9-runtime-defaultpkg:apk/chainguard/aspnet-9-targeting-packpkg:apk/chainguard/dotnet-9pkg:apk/chainguard/dotnet-9-aotpkg:apk/chainguard/dotnet-9-runtimepkg:apk/chainguard/dotnet-9-runtime-defaultpkg:apk/chainguard/dotnet-9-sdkpkg:apk/chainguard/dotnet-9-sdk-defaultpkg:apk/chainguard/dotnet-9-targeting-packpkg:apk/chainguard/dotnet-bootstrap-9pkg:apk/chainguard/netstandard-9-targeting-packpkg:apk/wolfi/aspnet-9-runtimepkg:apk/wolfi/aspnet-9-runtime-defaultpkg:apk/wolfi/aspnet-9-targeting-packpkg:apk/wolfi/dotnet-9pkg:apk/wolfi/dotnet-9-aotpkg:apk/wolfi/dotnet-9-runtimepkg:apk/wolfi/dotnet-9-runtime-defaultpkg:apk/wolfi/dotnet-9-sdkpkg:apk/wolfi/dotnet-9-sdk-defaultpkg:apk/wolfi/dotnet-9-targeting-packpkg:apk/wolfi/dotnet-bootstrap-9pkg:apk/wolfi/netstandard-9-targeting-packpkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:deb/ubuntu/dotnet9@9.0.100-9.0.0-0ubuntu1~24.10.1?arch=source&distro=oracularpkg:nuget/system.formats.nrbfpkg:rpm/almalinux/aspnetcore-runtime-9.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-9.0pkg:rpm/almalinux/aspnetcore-targeting-pack-9.0pkg:rpm/almalinux/dotnet-apphost-pack-9.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-9.0pkg:rpm/almalinux/dotnet-runtime-9.0pkg:rpm/almalinux/dotnet-runtime-dbg-9.0pkg:rpm/almalinux/dotnet-sdk-9.0pkg:rpm/almalinux/dotnet-sdk-9.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-aot-9.0pkg:rpm/almalinux/dotnet-sdk-dbg-9.0pkg:rpm/almalinux/dotnet-targeting-pack-9.0pkg:rpm/almalinux/dotnet-templates-9.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
< 9.0.2-r0+ 42 more
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.200-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: < 9.0.200-r0
- (no CPE)range: < 9.0.2-r0
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: < 9.0.100-9.0.0-0ubuntu1~24.10.1
- (no CPE)range: < 9.0.0
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- (no CPE)range: < 9.0.0-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- (no CPE)range: < 9.0.100-1.el9_5
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10
- Microsoft/Microsoft Visual Studio 2022 version 17.11v5Range: 17.11
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 9.0v5Range: 9.0.0
- Microsoft/PowerShell 7.5v5Range: 7.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-6x36-qxmj-rv4pghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43499ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-43499ghsaADVISORY
- github.com/dotnet/runtime/security/advisories/GHSA-6x36-qxmj-rv4pghsaWEB
News mentions
0No linked articles in our index yet.