This advisory covers four security vulnerabilities in .NET 8.0 on Red Hat Enterprise Linux 8. The most critical is CVE-2024-38229, a race condition in the Kestrel HTTP/3 server when closing streams that can lead to remote code execution. Additional issues include multiple .NET components vulnerable to hash flooding attacks (CVE-2024-43483), denial of service vectors in System.IO.Packaging due to SortedList usage (CVE-2024-43484), and a denial of service vulnerability in System.Text.Json (CVE-2024-43485). Red Hat has released updated packages .NET SDK 8.0.110 and .NET Runtime 8.0.10 to fix these vulnerabilities. The advisory applies to Red Hat Enterprise Linux 8 and related CodeReady Linux Builder variants across several CPU architectures. No known exploits in the wild have been reported. The vendor rates the update as Important and provides detailed patch instructions.

Successful exploitation of CVE-2024-38229 could allow remote code execution via a race condition in the HTTP/3 stream handling of the Kestrel server. The other vulnerabilities primarily enable denial of service conditions through hash flooding and improper handling of data structures, potentially impacting availability. These vulnerabilities affect multiple .NET components and could disrupt services or allow attackers to execute arbitrary code remotely.

Red Hat has released updated .NET packages (SDK 8.0.110 and Runtime 8.0.10) that address these vulnerabilities. Users should apply these official patches promptly. For detailed update instructions, refer to the Red Hat advisory RHSA-2024:7868 and the article at https://access.redhat.com/articles/11258. No additional mitigation steps are indicated by the vendor beyond applying the provided updates.