CVE-2026-25667

Published: Mar 19, 2026

Modified: Apr 29, 2026

PUBLISHED

Description

ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/IsaJafarov/Kestrel-DoS

https://github.com/dotnet/aspnetcore/commit/96ccc40a0e095424b19506e8268b9b1a3e23d6a7#diff-667d5b3693f93a0f706ab211428998b210862f9b885d917104d2013118312626

https://github.com/IsaJafarov/Q3Fuzz

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-25667

Description

Affected Products

References