Heap and Integer Overflow Vulnerability in Microsoft Development Tools
CVE-2025-36853

7.5HIGH

Key Information:

Vendor: Microsoft
Status: .net 6.0; Microsoft.netcore.app.runtime.linux-arm; Microsoft.netcore.app.runtime.linux-arm64; Microsoft.netcore.app.runtime.linux-musl-arm
Vendor: CVE Published:; 8 September 2025

What is CVE-2025-36853?

A vulnerability exists in the msdia140.dll component associated with Microsoft's development tools, arising from an integer overflow and heap-based buffer overflow. This condition occurs when a calculation results in a value exceeding the permissible range, leading to potential overwriting of critical memory allocated on the heap. As a result, an attacker could exploit this flaw to execute arbitrary code on affected systems. Microsoft has confirmed that this vulnerability impacts End Of Life (EOL) software components, and they will not issue any future patches or support.

Affected Version(s)

.NET 6.0 Windows 6.0.0 < 6.0.36

Microsoft.NetCore.App.Runtime.linux-arm Windows >=6.0.0 <= 6.0.36

Microsoft.NetCore.App.Runtime.linux-arm64 Windows >=6.0.0 <= 6.0.36

References

https://www.herodevs.com/vulnerability-directory/cve-2025...

third-party-advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 8, 2025
Vulnerability Reserved
Apr 15, 2025