CVE-2025-36853
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-08

Last updated on: 2025-09-08

Assigner: HeroDevs

Description
A vulnerability (CVE-2025-21172) exists in msdia140.dll due to integer overflow and heap-based overflow. Per CWE-122: Heap-based Buffer Overflow, a heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().‍ Per CWE-190: Integer Overflow or Wraparound, is when a product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-08
Last Modified
2025-09-08
Generated
2026-05-07
AI Q&A
2025-09-08
EPSS Evaluated
2026-05-05
NVD
CVE-2025-36853
EUVD
EUVD-2025-27134
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
microsoft .net_runtime 6.0.36
microsoft .net_runtime 9.0.0
microsoft .net_runtime 6.0.0
microsoft .net_runtime 8.0.0
microsoft .net_runtime 8.0.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-122 A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-21172 is a high-severity vulnerability in the msdia140.dll component of the .NET Runtime caused by an integer overflow that leads to a heap-based buffer overflow. This means that an integer calculation exceeds its maximum value, causing incorrect buffer size calculations and allowing memory beyond the allocated heap buffer to be overwritten. This can lead to arbitrary code execution or denial of service when a user opens a maliciously crafted package file in Visual Studio. [1]


How can this vulnerability impact me? :

This vulnerability can impact any .NET application running on affected runtime versions (including .NET 6.0.0 through 6.0.36, 8.0.0 through 8.0.11, and 9.0.0 and earlier) across multiple platforms. Exploitation can allow attackers to execute arbitrary code or cause denial of service by triggering the heap overflow. Self-contained applications targeting these versions are also vulnerable and require recompilation and redeployment to mitigate the risk. [1]


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, you should upgrade to .NET Runtime versions 8.0.12 or later, or 9.0.1 or later. For .NET 6.x, which is End-of-Life and will not receive updates, consider upgrading to a supported version or using commercial support such as the Never-Ending Support (NES) version v6.1.0 offered by HeroDevs. Applying these patches or using NES solutions will mitigate the risk of exploitation. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart