CVE-2021-26701: .NET Core Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.1)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Publicly Disclosed

Yes

Patch Tuesday

2021-Feb

Released

2021-02-09

Last Updated

2021-03-12

EPSS Score

2.73% (percentile: 86.0%)

FAQ

Is Visual Studio affected by this vulnerability? Visual Studio contains the binaries for .NET, but Visual Studio is not vulnerable to this issue. The update is offered to include the .NET files so any future applications built in Visual Studio which include .NET functionality will be protected from this issue.

Affected Products (11)

Developer Tools

• .NET Core 2.1
• .NET Core 3.1
• .NET 5.0
• Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
• Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
• Microsoft Visual Studio 2019 version 16.7 (includes 16.0 – 16.6)
• Visual Studio 2019 for Mac
• Microsoft Visual Studio 2019 version 16.8 (includes 16.0 - 16.7)
• Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
• PowerShell Core 7.1
• PowerShell Core 7.0

Security Updates (9)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Revision History

• 2021-02-09: Information published.
• 2021-03-09: In the Security Updates table, added links to the Release Notes. This is an informational change only.
• 2021-03-09: In the Security Updates table, added Visual Studio 2019 versions 16.9, 16.8, 16.7, and 16.4 and Visual Studio 2017 version 15.9. Visual Studio contains the binaries for .NET, but Visual Studio is not vulnerable to this issue. The update is offered to include the .NET files so any future applications built in Visual Studio which include .NET functionality will be protected from this issue.
• 2021-03-12: Revised the Security Updates table to include PowerShell Core 7.0 and PowerShell Core 7.1 because these versions of PowerShell Core are also affected by this vulnerability. See https://github.com/PowerShell/Announcements-Internal/issues/23 for more information. Added Visual Studio 2019 for Mac to the Security Updates table as it is also affected by this vulnerability.