VYPR
High severity7.5NVD Advisory· Published Mar 19, 2026· Updated Apr 22, 2026

CVE-2026-25667

CVE-2026-25667

Description

ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

5
  • Microsoft/Net2 versions
    cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*range: >=8.0.0,<8.0.22
    • (no CPE)range: >= 8.0, < 8.0.22; >= 9.0, < 9.0.11
  • Range: >= 8.0, < 8.0.22; >= 9.0, < 9.0.11
  • osv-coords2 versions
    >= 8.0.0, < 8.0.22+ 1 more
    • (no CPE)range: >= 8.0.0, < 8.0.22
    • (no CPE)range: >= 8.0.0, < 8.0.22

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.