Race Condition in EOL ASP.NET Leading to Remote Code Execution
CVE-2025-36854

8.1HIGH

Key Information:

Vendor

Microsoft
Status
.net 6.0
Microsoft.aspnetcore.identity
Microsoft.aspnetcore.app.runtime.win-arm
Microsoft.aspnetcore.app.runtime.win-arm64
Vendor
CVE Published:
8 September 2025

What is CVE-2025-36854?

A vulnerability exists in EOL ASP.NET that occurs when an HTTP/3 stream is closed while application code is still writing to the response body. This race condition may result in a use-after-free scenario that allows remote code execution. The specific flaw lies in the improper handling of freed memory, which could be reallocated and referenced incorrectly by application code, leading to potential exploits. Impacted versions include ASP.NET 6.0.0 through 6.0.36, 8.0.0 through 8.0.8, and specific preview releases up to 9.0.0.RC.1. Additionally, any self-contained applications targeting these versions are also vulnerable and must be recompiled and redeployed. Notably, Microsoft has confirmed that these components are end-of-life, thus no future updates or support will be provided.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

.NET 6.0 Unknown 6.0.0 <= 6.0.36

Microsoft.AspNetCore.App.Runtime.linux-arm Linux >=6.0.0 <= 6.0.36

Microsoft.AspNetCore.App.Runtime.linux-arm64 Linux >=6.0.0 <= 6.0.36

References

https://www.herodevs.com/vulnerability-directory/cve-2024...
third-party-advisory
https://msrc.microsoft.com/update-guide/vulnerability/CVE...
vendor-advisory

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.