CVE-2026-25667: n/a
CVE-2026-25667 is a vulnerability in ASP. NET Core Kestrel web server implementations in Microsoft . NET 8. 0 (before 8. 0. 22) and . NET 9. 0 (before 9. 0. 11).
AI Analysis
Technical Summary
CVE-2026-25667 is a denial-of-service vulnerability found in the ASP.NET Core Kestrel web server component of Microsoft .NET 8.0 (prior to 8.0.22) and .NET 9.0 (prior to 9.0.11). The vulnerability arises from an incorrect exit condition in the HTTP/3 Encoder/Decoder stream processing logic when handling QUIC packets. Specifically, when a remote attacker sends a crafted QUIC packet, the Kestrel server enters a state of excessive CPU consumption due to improper stream processing loops that do not terminate as expected. This flaw can be triggered remotely without authentication or user interaction, making it a straightforward vector for denial-of-service attacks. The vulnerability exploits the HTTP/3 protocol implementation in Kestrel, which is a cross-platform web server used extensively in modern ASP.NET Core applications. Although no known exploits have been reported in the wild, the potential for resource exhaustion attacks is significant, especially for high-traffic web services relying on these .NET versions. The issue was reserved in early February 2026 and published in March 2026, with patches expected in .NET 8.0.22 and 9.0.11. Organizations using affected versions should prioritize patching to prevent potential service disruptions.
Potential Impact
The primary impact of CVE-2026-25667 is denial-of-service through excessive CPU consumption, which can degrade or completely disrupt web services hosted on ASP.NET Core Kestrel servers using vulnerable .NET versions. This can lead to service outages, degraded user experience, and potential cascading failures in dependent systems. For organizations, this can translate to operational downtime, loss of customer trust, and financial losses. Since the vulnerability can be exploited remotely without authentication, it increases the attack surface significantly. High-availability services, cloud providers, and enterprises running public-facing web applications on these .NET versions are particularly at risk. The resource exhaustion could also be leveraged as a smokescreen for other malicious activities or combined with other attacks to amplify impact.
Mitigation Recommendations
To mitigate CVE-2026-25667, organizations should promptly update their .NET installations to versions 8.0.22 or 9.0.11 once these patches are released by Microsoft. Until patches are applied, administrators should consider disabling HTTP/3 support in Kestrel if feasible, as the vulnerability is tied to HTTP/3 QUIC packet processing. Monitoring CPU usage and network traffic for unusual spikes or patterns indicative of crafted QUIC packets can help detect attempted exploitation. Implementing rate limiting and network-level filtering to restrict suspicious QUIC traffic may reduce exposure. Additionally, ensuring robust incident response plans and maintaining up-to-date backups will help mitigate the impact of potential denial-of-service incidents. Regularly reviewing and applying security advisories from Microsoft is critical to maintaining protection against this and similar vulnerabilities.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Japan, South Korea, India, Netherlands, Sweden, Singapore
CVE-2026-25667: n/a
Description
CVE-2026-25667 is a vulnerability in ASP. NET Core Kestrel web server implementations in Microsoft . NET 8. 0 (before 8. 0. 22) and . NET 9. 0 (before 9. 0. 11).
AI-Powered Analysis
Technical Analysis
CVE-2026-25667 is a denial-of-service vulnerability found in the ASP.NET Core Kestrel web server component of Microsoft .NET 8.0 (prior to 8.0.22) and .NET 9.0 (prior to 9.0.11). The vulnerability arises from an incorrect exit condition in the HTTP/3 Encoder/Decoder stream processing logic when handling QUIC packets. Specifically, when a remote attacker sends a crafted QUIC packet, the Kestrel server enters a state of excessive CPU consumption due to improper stream processing loops that do not terminate as expected. This flaw can be triggered remotely without authentication or user interaction, making it a straightforward vector for denial-of-service attacks. The vulnerability exploits the HTTP/3 protocol implementation in Kestrel, which is a cross-platform web server used extensively in modern ASP.NET Core applications. Although no known exploits have been reported in the wild, the potential for resource exhaustion attacks is significant, especially for high-traffic web services relying on these .NET versions. The issue was reserved in early February 2026 and published in March 2026, with patches expected in .NET 8.0.22 and 9.0.11. Organizations using affected versions should prioritize patching to prevent potential service disruptions.
Potential Impact
The primary impact of CVE-2026-25667 is denial-of-service through excessive CPU consumption, which can degrade or completely disrupt web services hosted on ASP.NET Core Kestrel servers using vulnerable .NET versions. This can lead to service outages, degraded user experience, and potential cascading failures in dependent systems. For organizations, this can translate to operational downtime, loss of customer trust, and financial losses. Since the vulnerability can be exploited remotely without authentication, it increases the attack surface significantly. High-availability services, cloud providers, and enterprises running public-facing web applications on these .NET versions are particularly at risk. The resource exhaustion could also be leveraged as a smokescreen for other malicious activities or combined with other attacks to amplify impact.
Mitigation Recommendations
To mitigate CVE-2026-25667, organizations should promptly update their .NET installations to versions 8.0.22 or 9.0.11 once these patches are released by Microsoft. Until patches are applied, administrators should consider disabling HTTP/3 support in Kestrel if feasible, as the vulnerability is tied to HTTP/3 QUIC packet processing. Monitoring CPU usage and network traffic for unusual spikes or patterns indicative of crafted QUIC packets can help detect attempted exploitation. Implementing rate limiting and network-level filtering to restrict suspicious QUIC traffic may reduce exposure. Additionally, ensuring robust incident response plans and maintaining up-to-date backups will help mitigate the impact of potential denial-of-service incidents. Regularly reviewing and applying security advisories from Microsoft is critical to maintaining protection against this and similar vulnerabilities.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2026-02-04T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 69bc42d8e32a4fbe5fe8af3b
Added to database: 3/19/2026, 6:39:20 PM
Last enriched: 3/19/2026, 6:53:53 PM
Last updated: 3/19/2026, 7:45:37 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.