.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
Description
.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A buffer over-read vulnerability in DiaSymReader.dll allows remote code execution in .NET, .NET Framework, and Visual Studio via specially crafted files.
Root
Cause
CVE-2025-21176 is a high-severity remote code execution vulnerability in .NET, .NET Framework, and Visual Studio. The issue resides in the DiaSymReader.dll component, which suffers from a buffer over-read (CWE-126). Insufficient input validation allows an attacker to craft a file that, when loaded by the affected application, reads beyond the intended buffer boundary [1][3].
Exploitation
The vulnerability is triggered by loading a specially crafted file into Visual Studio or any .NET application that uses the affected runtime versions. The attack does not require authentication but relies on the victim opening the malicious file. The vulnerable software includes .NET 6.0.0 through 6.0.36, .NET 8.0.0 through 8.0.11, and .NET 9.0.0. All platform-specific NuGet packages (linux, osx, win) and self-contained deployments are affected [1][3].
Impact
Successful exploitation allows an attacker to execute arbitrary code in the context of the application. This could lead to full system compromise, data theft, or further lateral movement within a network. The vulnerability is listed as remote code execution, and because Visual Studio is a development tool, crafted project files or solution files could be used as vectors [3].
Mitigation
Microsoft has released patched versions: .NET 8.0.12 and .NET 9.0.1. For .NET 6.0, which is out of standard support, a fix is available through HeroDevs' Never-Ending Support (NES) v6.1.0. Users must update their runtime and SDK, and any self-contained applications must be recompiled and redeployed. No workarounds have been provided, and the vulnerability is not currently listed on the CISA KEV [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.NetCore.App.Runtime.linux-armNuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.linux-arm64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.linux-x64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.osx-arm64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.osx-x64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.win-armNuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.win-arm64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.win-x64NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.win-x86NuGet | >= 9.0.0, < 9.0.1 | 9.0.1 |
Microsoft.NetCore.App.Runtime.linux-armNuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.linux-arm64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.linux-musl-armNuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.linux-musl-arm64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.linux-musl-x64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.linux-x64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.osx-arm64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.osx-x64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.win-armNuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.win-arm64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.win-x64NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Microsoft.NetCore.App.Runtime.win-x86NuGet | >= 8.0.0, < 8.0.12 | 8.0.12 |
Affected products
64- osv-coords44 versionspkg:apk/chainguard/dotnet-bootstrap-9pkg:apk/wolfi/dotnet-bootstrap-9pkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.netcore.app.runtime.linux-armpkg:nuget/microsoft.netcore.app.runtime.linux-arm64pkg:nuget/microsoft.netcore.app.runtime.linux-musl-armpkg:nuget/microsoft.netcore.app.runtime.linux-musl-arm64pkg:nuget/microsoft.netcore.app.runtime.linux-musl-x64pkg:nuget/microsoft.netcore.app.runtime.linux-x64pkg:nuget/microsoft.netcore.app.runtime.osx-arm64pkg:nuget/microsoft.netcore.app.runtime.osx-x64pkg:nuget/microsoft.netcore.app.runtime.win-armpkg:nuget/microsoft.netcore.app.runtime.win-arm64pkg:nuget/microsoft.netcore.app.runtime.win-x64pkg:nuget/microsoft.netcore.app.runtime.win-x86pkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-9.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-9.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-9.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-apphost-pack-9.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-hostfxr-9.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-9.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-9.0pkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-9.0pkg:rpm/almalinux/dotnet-sdk-9.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-aot-9.0pkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-dbg-9.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-targeting-pack-9.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/dotnet-templates-9.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
< 9.0.200-r0+ 43 more
- (no CPE)range: < 9.0.200-r0
- (no CPE)range: < 9.0.200-r0
- (no CPE)range: >= 8.0.0, < 8.0.1
- (no CPE)range: >= 8.0.0, < 8.0.101
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: >= 9.0.0, < 9.0.1
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.112-1.el8_10
- (no CPE)range: < 8.0.112-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 8.0.112-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 8.0.12-1.el8_10
- (no CPE)range: < 9.0.1-1.el8_10
- (no CPE)range: < 8.0.112-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- (no CPE)range: < 9.0.102-1.el8_10
- Microsoft/Microsoft .NET Framework 3.5 AND 4.6.2/4.7/4.7.1/4.7.2v5Range: 3.0.0.0
- Microsoft/Microsoft .NET Framework 3.5 AND 4.7.2v5Range: 4.7.0
- Microsoft/Microsoft .NET Framework 3.5 AND 4.8v5Range: 4.8.0
- Microsoft/Microsoft .NET Framework 3.5 AND 4.8.1v5Range: 4.8.1
- Microsoft/Microsoft .NET Framework 4.6.2v5Range: 4.7.0
- Microsoft/Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2v5Range: 4.7.0
- Microsoft/Microsoft .NET Framework 4.6/4.6.2v5Range: 10.0.0.0
- Microsoft/Microsoft .NET Framework 4.8v5Range: 4.8.0
- Microsoft/Microsoft Visual Studio 2015 Update 3v5Range: 14.0.0
- Microsoft/Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)v5Range: 15.9.0
- Microsoft/Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)v5Range: 16.11.0
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10.0
- Microsoft/Microsoft Visual Studio 2022 version 17.12v5Range: 17.12.0
- Microsoft/Microsoft Visual Studio 2022 version 17.6v5Range: 17.6.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 8.0v5Range: 8.0.0
- Microsoft/.NET 9.0v5Range: 9.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-gjf6-3w4p-7xfhghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21176ghsavendor-advisorypatchWEB
- nvd.nist.gov/vuln/detail/CVE-2025-21176ghsaADVISORY
- github.com/dotnet/runtime/security/advisories/GHSA-gjf6-3w4p-7xfhghsaWEB
- www.herodevs.com/vulnerability-directory/cve-2025-21176ghsaWEB
News mentions
0No linked articles in our index yet.