Executive Summary

CVE-2026-25667 is a vulnerability in ASP.NET Core Kestrel, the web server used in Microsoft .NET versions before 8.0.22 and 9.0.11. It allows a remote attacker to cause excessive CPU consumption by sending a specially crafted QUIC packet. This happens because of an incorrect exit condition in the HTTP/3 Encoder/Decoder stream processing, which leads the server to consume 100% CPU.

The attack involves establishing a benign QUIC connection and then sending a malicious QUIC STREAM frame with specific parameters (stream_id=6, fin_bit=1, offset=0, and an empty payload). This crafted request triggers the excessive CPU usage, and if repeated, it can make the server completely unavailable to legitimate clients.

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to a Denial of Service (DoS) condition on the affected server. By exploiting it, an attacker can cause the server's CPU to spike to 100% utilization, effectively paralyzing the server and making it unavailable to legitimate users."}, {'type': 'paragraph', 'content': 'Continuous exploitation, such as sending one malicious request per second, can keep the server in this overloaded state, preventing normal operation and access to hosted applications or services.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or excessive CPU usage on servers running vulnerable versions of ASP.NET Core Kestrel (before .NET 8.0.22 and .NET 9.0.11). Specifically, detection involves identifying remote QUIC connections that send crafted QUIC STREAM frames with stream_id=6, fin_bit=1, offset=0, and an empty payload representing Qpack Encoder data.'}, {'type': 'paragraph', 'content': 'To detect such malicious activity, you can use network packet capture tools like tcpdump or Wireshark to filter QUIC traffic and inspect stream frames for the described parameters.'}, {'type': 'list_item', 'content': "Use tcpdump to capture QUIC traffic on the server's network interface: tcpdump -i <interface> udp port 443 -w capture.pcap"}, {'type': 'list_item', 'content': 'Analyze the capture with Wireshark, filtering for QUIC STREAM frames with stream_id=6 and fin_bit=1.'}, {'type': 'list_item', 'content': 'Monitor CPU usage on the server using commands like top or htop to identify spikes in CPU consumption that correlate with suspicious QUIC traffic.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to update the ASP.NET Core Kestrel server to a fixed version where the vulnerability is resolved. Specifically, upgrade to Microsoft .NET 8.0.22 or later, or .NET 9.0.11 or later.

The fix addresses the improper handling of HTTP/3 encoder and decoder streams that cause excessive CPU consumption when processing crafted QUIC packets.

Until the update can be applied, consider implementing network-level protections such as rate limiting or blocking suspicious QUIC traffic that matches the exploit pattern (e.g., QUIC STREAM frames with stream_id=6 and fin_bit=1 with empty payloads) to reduce the risk of denial-of-service.

Useful 0 Not Useful 0