CVE-2022-26832: .NET Framework Denial of Service Vulnerability

Overview

Severity

High (CVSS 7.5)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C

Category

Denial of Service

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2022-Apr

Released

2022-04-12

Last Updated

2024-06-24

EPSS Score

22.43% (percentile: 95.8%)

Affected Products (86)

Developer Tools

• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1909 for x64-based Systems
• Microsoft .NET Framework 4.5.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for 32-bit systems
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows RT 8.1
• Microsoft .NET Framework 4.8 on Windows Server 2012
• Microsoft .NET Framework 4.8 on Windows Server 2012 R2 (Server Core installation)
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 8.1 for x64-based systems
• Microsoft .NET Framework 4.8 on Windows 8.1 for 32-bit systems
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows 7 for 32-bit Systems Service Pack 1
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2012 R2
• Microsoft .NET Framework 4.5.2 on Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2016
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 R2 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for x64-based Systems
• Microsoft .NET Framework 4.8 on Windows 7 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.8 on Windows RT 8.1
• Microsoft .NET Framework 4.5.2 on Windows Server 2012
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2
• Microsoft .NET Framework 4.5.2 on Windows Server 2012 (Server Core installation)
• Microsoft .NET Framework 4.5.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1809 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022
• Microsoft .NET Framework 4.8 on Windows 10 Version 1607 for 32-bit Systems
• Microsoft .NET Framework 4.5.2 on Windows Server 2008 for x64-based Systems Service Pack 2
• Microsoft .NET Framework 4.8 on Windows Server 2016 (Server Core installation)
• Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.2 on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
• Microsoft .NET Framework 4.8 on Windows Server 2008 R2 for x64-based Systems Service Pack 1
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2022 (Server Core installation)
• Microsoft .NET Framework 4.5.2 on Windows Server 2012 R2 (Server Core installation)
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1909 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server 2019
• Microsoft .NET Framework 4.8 on Windows 8.1 for x64-based systems
• Microsoft .NET Framework 4.8 on Windows 7 for 32-bit Systems Service Pack 1
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 1909 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 20H2 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 10 Version 20H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows Server, version 20H2 (Server Core Installation)
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for ARM64-based Systems
• Microsoft .NET Framework 3.5 AND 4.8 on Windows 11 version 21H2 for x64-based Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for 32-bit Systems
• Microsoft .NET Framework 3.5 AND 4.7.2 on Windows 10 Version 1809 for x64-based Systems
• ... and 36 more

Security Updates (34)

• 5012120
• 5012329
• 5012324
• 5012331
• 5012326
• 5012329
• 5012324
• 5012330
• 5012325
• 5012331
• 5012326
• 5012330
• 5012325
• 5012328
• 5012118
• 5012329
• 5012324
• 5012330
• 5012325
• 5012331
• 5012326
• 5012123
• 5012117
• 5012121
• 5012328
• 5012596
• 5012332
• 5012327
• 5012326
• 5016568
• ... and 4 more

Acknowledgments

<a href="https://twitter.com/orange_8361">Orange Tsai (@orange_8361)</a> with <a href="https://devco.re/">DEVCORE</a>

Revision History

• 2022-04-12: Information published.
• 2022-04-19: In the Security Updates table, added .NET Framework 4.8 installed on Windows Server 2016 and Windows Server 2016 (Server Core installation), .NET Framework 3.5 and 4.7.2 intalled on Windows Server 2019 and Windows Server 2019 (Server Core installation), and .NET Framework 3.5 and 4.8 installed on Windows Server 2019 and Windows Server 2019 (Server Core installation) as these versions of Windows Server with these versions of .NET Framework installed are affected by this vulnerability. Customers running these versions of .NET Framework should install the April 2022 security updates to be protected from this vulnerability.
• 2022-06-14: In the Security Updates table, added .NET Framework 4.6.2/4.7/4.7.1/4.7.2 installed on Windows 10 version 1607, Windows Server 2016, and Windows Server 2016 (Server Core installation) as these versions of Window 10 and Windows Server with .NET Framework 4.6.2/4.7/4.7.1/4.7.2 installed are affected by this vulnerability. Customers running these versions of .NET Framework should install the April 2022 security updates to be protected from this vulnerability.
• 2022-08-09: To comprehensively address this vulnerability, Microsoft has released Monthly Rollup KB5016268 for .NET Framework 3.5 installed on Windows 8.1 and Windows Server 2012 R2. Microsoft strongly recommends that customers install the update to be fully protected from the vulnerability. Customers whose systems are configured to receive automatic updates do not need to take any further action.
• 2024-06-24: Updated the build numbers. This is an informational update only.