High severity7.5NVD Advisory· Published Mar 19, 2026· Updated Apr 22, 2026

CVE-2026-25667

Description

ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.

Affected products

Microsoft/Net
cpe:2.3:a:microsoft:.net:*:*:*:*:*:*:*:*
Range: >=8.0.0,<8.0.22

Patches

96ccc40a0e09

https://github.com/dotnet/aspnetcorevia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/dotnet/aspnetcore/commit/96ccc40a0e095424b19506e8268b9b1a3e23d6a7nvdPatch

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.012
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000