.NET and Visual Studio Remote Code Execution Vulnerability
Description
.NET and Visual Studio Remote Code Execution Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-21172 is a remote code execution vulnerability in .NET and Visual Studio caused by an integer overflow in msdia140.dll, exploitable via a malicious package file.
Vulnerability
Overview CVE-2025-21172 is a remote code execution vulnerability in .NET and Visual Studio, stemming from an integer overflow (CWE-190) that leads to a heap-based buffer overflow (CWE-122) in the msdia140.dll component [1][2][3]. This affects .NET 6.0 (up to 6.0.36), .NET 8.0 (up to 8.0.11), and .NET 9.0 (up to 9.0.0) [3].
Exploitation
An attacker can exploit this vulnerability by convincing a user to open a specially crafted package file in Visual Studio [2][3]. The user interaction is required, and no authentication is needed beyond the user's session. Successful exploitation does not require any special privileges [2].
Impact
If exploited, an attacker can achieve remote code execution in the context of the current user, potentially allowing them to install programs, view, change, or delete data, or create new accounts with full user rights [2].
Mitigation
Microsoft has released patches to address this vulnerability: .NET 6.0.37, .NET 8.0.12, and .NET 9.0.1 [1]. Users should update their .NET SDK and runtime to the latest versions. Additionally, self-contained applications compiled against vulnerable versions must be recompiled and redeployed [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.NetCore.App.Runtime.linux-armNuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.linux-arm64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.linux-x64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.osx-arm64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.osx-x64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.win-armNuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.win-arm64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.win-x64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.win-x86NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.win-x64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.win-arm64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.win-armNuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.osx-x64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.osx-arm64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.linux-x64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.linux-arm64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.linux-armNuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Affected products
53- osv-coords44 versionspkg:apk/chainguard/dotnet-bootstrap-9pkg:apk/wolfi/dotnet-bootstrap-9pkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.netcore.app.runtime.linux-armpkg:nuget/microsoft.netcore.app.runtime.linux-arm64pkg:nuget/microsoft.netcore.app.runtime.linux-musl-armpkg:nuget/microsoft.netcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.netcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.netcore.app.runtime.linux-x64pkg:nuget/microsoft.netcore.app.runtime.osx-arm64pkg:nuget/microsoft.netcore.app.runtime.osx-x64pkg:nuget/microsoft.netcore.app.runtime.win-armpkg:nuget/microsoft.netcore.app.runtime.win-arm64pkg:nuget/microsoft.netcore.app.runtime.win-x64pkg:nuget/microsoft.netcore.app.runtime.win-x86pkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-9.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-9.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-9.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-apphost-pack-9.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-hostfxr-9.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-9.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-9.0pkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-9.0pkg:rpm/almalinux/dotnet-sdk-9.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-aot-9.0pkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-dbg-9.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-targeting-pack-9.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/dotnet-templates-9.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
< 9.0.200-r0+ 43 more
- (no CPE)range: < 9.0.200-r0
- (no CPE)range: < 9.0.200-r0
- (no CPE)range: >= 8.0.0, < 8.0.1
- (no CPE)range: >= 8.0.0, < 8.0.101
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.112-1.el8_10
- (no CPE)range: < 8.0.112-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 8.0.112-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.112-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- Microsoft/Microsoft Visual Studio 2015 Update 3v5Range: 14.0.0
- Microsoft/Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)v5Range: 15.9.0
- Microsoft/Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)v5Range: 16.11.0
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10.0
- Microsoft/Microsoft Visual Studio 2022 version 17.12v5Range: 17.12.0
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 8.0v5Range: 8.0.0
- Microsoft/.NET 9.0v5Range: 9.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-jjcv-wr2g-4rv4ghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21172ghsavendor-advisorypatchWEB
- nvd.nist.gov/vuln/detail/CVE-2025-21172ghsaADVISORY
- github.com/dotnet/runtime/security/advisories/GHSA-jjcv-wr2g-4rv4ghsaWEB
- www.herodevs.com/vulnerability-directory/cve-2025-21172ghsaWEB
News mentions
0No linked articles in our index yet.