Race Condition in EOL ASP.NET Leading to Remote Code Execution
CVE-2025-36854
Key Information:
- Vendor
Microsoft
- Status
- Vendor
- CVE Published:
- 8 September 2025
What is CVE-2025-36854?
A vulnerability exists in EOL ASP.NET that occurs when an HTTP/3 stream is closed while application code is still writing to the response body. This race condition may result in a use-after-free scenario that allows remote code execution. The specific flaw lies in the improper handling of freed memory, which could be reallocated and referenced incorrectly by application code, leading to potential exploits. Impacted versions include ASP.NET 6.0.0 through 6.0.36, 8.0.0 through 8.0.8, and specific preview releases up to 9.0.0.RC.1. Additionally, any self-contained applications targeting these versions are also vulnerable and must be recompiled and redeployed. Notably, Microsoft has confirmed that these components are end-of-life, thus no future updates or support will be provided.
Affected Version(s)
.NET 6.0 Unknown 6.0.0 <= 6.0.36
Microsoft.AspNetCore.App.Runtime.linux-arm Linux >=6.0.0 <= 6.0.36
Microsoft.AspNetCore.App.Runtime.linux-arm64 Linux >=6.0.0 <= 6.0.36