CVE-2024-35264: .NET and Visual Studio Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8.1)

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Publicly Disclosed

Yes

Patch Tuesday

2024-Jul

Released

2024-07-09

EPSS Score

4.36% (percentile: 89.0%)

FAQ

According to the CVSS metric, the attack complexity is high (AC:H). What does that mean for this vulnerability? Successful exploitation of this vulnerability requires an attacker to win a race condition. How could an attacker exploit this vulnerability? An attacker could exploit this by closing an http/3 stream while the request body is being processed leading to a race condition. This could result in remote code execution. .NET 6.0 was added to the Security Updates table on October 31, 2024 because it is also affected by this vulnerability. Why are the Download and Article links missing for .NET 6.0? HTTP/3 support was only experimental in .NET 6.0. If you are using .NET 6 you must update your application to .NET 8 to be protected. Experimental features will not be patched if a later runtime includes the feature as non-experimental.

Affected Products (6)

Developer Tools

• .NET 6.0
• .NET 8.0
• Microsoft Visual Studio 2022 version 17.4
• Microsoft Visual Studio 2022 version 17.8
• Microsoft Visual Studio 2022 version 17.10
• Microsoft Visual Studio 2022 version 17.6

Security Updates (5)

• 5041081
• Release Notes
• Release Notes
• Release Notes
• Release Notes

Acknowledgments

Radek Zikmund of Microsoft Corporation

Revision History

• 2024-07-09: Information published.