CVE-2023-36038: ASP.NET Core Denial of Service Vulnerability

Overview

Severity

High (CVSS 8.2)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:U/RL:O/RC:C

Category

Denial of Service

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Publicly Disclosed

Yes

Patch Tuesday

2023-Nov

Released

2023-11-14

Last Updated

2025-10-08

EPSS Score

7.18% (percentile: 91.6%)

FAQ

How could an attacker exploit this vulnerability? This vulnerability could be exploited if http requests to .NET 8 RC 1 running on IIS InProcess hosting model are cancelled. Threads counts would increase and an OutOfMemoryException is possible. According to the CVSS metric, successful exploitation of this vulnerability could lead to a total loss of availability (A:H). What does that mean for this vulnerability? If an attacker was able to successfully exploit the vulnerability the attack might result in a total loss of availability.

Affected Products (6)

Developer Tools

• ASP.NET Core 8.0
• Microsoft Visual Studio 2022 version 17.2
• Microsoft Visual Studio 2022 version 17.4
• Microsoft Visual Studio 2022 version 17.6
• Microsoft Visual Studio 2022 version 17.7
• .NET 8.0

Security Updates (6)

• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Acknowledgments

Barry Dorans

Revision History

• 2023-11-14: Information published.
• 2025-10-08: Corrected Article links in the Security Updates table. This is an informational change only.