CVE-2021-24111: .NET Framework Denial of Service Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

Category

Denial of Service

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2021-Feb

Released

2021-02-09

Last Updated

2021-02-16

EPSS Score

24.57% (percentile: 96.1%)

FAQ

I am running Windows Server 2008, Windows 7, or Windows Server 2008 R2 and I cannot install the Security Only updates for any of the 4.X versions of Microsoft .NET Framework. How do I protect my system from this vulnerability? There is a known issue with the Monthly Rollup and Security Only updates for the 4.X versions of .NET Framework installed on Windows Server 2008, Windows 7, and Windows Server 2008 R2. If you are unable to install a Monthly Rollup Security Only update, a version 2 is available that addresses the known issue. See the How to obtain and install the update section of the Article for the update you are attempting to install. If you are unable to install a Security Only update Monthly Rollup, for a workaround to this known issue see the Known issues in this update section of the Article for the update you are attempting to install.

Affected Products (54)

Developer Tools

• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for 32-bit Systems
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for x64-based systems
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2
• Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for 32-bit Systems
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for 32-bit Systems Service Pack 1
• Microsoft .NET Framework 4.8 on Windows 10 Version 1803 for x64-based Systems
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation)
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for 32-bit systems
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows RT 8.1
• Microsoft .NET Framework 4.8 on Windows 10 Version 1809 for x64-based Systems
• Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems
• Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1
• Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systems
• Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems
• Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systems
• Microsoft .NET Framework 4.8 on Windows Server 2012
• Microsoft .NET Framework 4.8 on Windows Server 2016
• Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows RT 8.1
• Microsoft .NET Framework 4.8 on Windows Server 2012 R2
• Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.6 on Windows Server 2008 for 32-bit Systems Service Pack 2
• Microsoft .NET Framework 4.6 on Windows Server 2008 for x64-based Systems Service Pack 2
• Microsoft .NET Framework 4.8 on Windows 10 Version 20H2 for 32-bit Systems
• Microsoft .NET Framework 4.8 on Windows Server, version 2004 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows 10 Version 2004 for x64-based Systems
• Microsoft .NET Framework 4.8 on Windows Server, version 20H2 (Server Core Installation)
• Microsoft .NET Framework 4.8 on Windows 10 Version 20H2 for ARM64-based Systems
• Microsoft .NET Framework 4.8 on Windows 10 Version 2004 for ARM64-based Systems
• Microsoft .NET Framework 4.8 on Windows 10 Version 2004 for 32-bit Systems
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for 32-bit Systems
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016 (Server Core installation)
• Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for x64-based Systems
• Microsoft .NET Framework 4.7.2 on Windows Server 2019 (Server Core installation)
• Microsoft .NET Framework 4.7.2 on Windows Server 2019
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows 10 Version 1607 for x64-based Systems
• Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2016
• Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for 32-bit Systems
• Microsoft .NET Framework 4.7.2 on Windows 10 Version 1803 for ARM64-based Systems
• Microsoft .NET Framework 4.8 on Windows Server 2019 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2019
• Microsoft .NET Framework 4.8 on Windows 10 Version 1909 for x64-based Systems
• ... and 4 more

Security Updates (21)

• 4603003
• 4602959
• 4603002
• 4602958
• 4601887
• 4603004
• 4602960
• 4601054
• 4601051
• 4603002
• 4602958
• 4603004
• 4602960
• 4603003
• 4602959
• 4602961
• 4601050
• 4601318
• 4601354
• 4601887
• 4601056

Revision History

• 2021-02-09: Information published.
• 2021-02-16: Corrected Download and Article links for affected versions of Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 installed on Windows Server 2012 in the Security Updates table. This is an informational change only.