CVE-2026-25667
CPU Exhaustion via QUIC Packet in ASP.NET Core Kestrel
Publication date: 2026-03-19
Last updated on: 2026-04-22
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| microsoft | .net | From 8.0.0 (inc) to 8.0.22 (exc) |
| microsoft | .net | From 9.0.0 (inc) to 9.0.11 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25667 is a vulnerability in ASP.NET Core Kestrel, the web server used in Microsoft .NET versions before 8.0.22 and 9.0.11. It allows a remote attacker to cause excessive CPU consumption by sending a specially crafted QUIC packet. This happens because of an incorrect exit condition in the HTTP/3 Encoder/Decoder stream processing, which leads the server to consume 100% CPU.
The attack involves establishing a benign QUIC connection and then sending a malicious QUIC STREAM frame with specific parameters (stream_id=6, fin_bit=1, offset=0, and an empty payload). This crafted request triggers the excessive CPU usage, and if repeated, it can make the server completely unavailable to legitimate clients.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability can lead to a Denial of Service (DoS) condition on the affected server. By exploiting it, an attacker can cause the server's CPU to spike to 100% utilization, effectively paralyzing the server and making it unavailable to legitimate users."}, {'type': 'paragraph', 'content': 'Continuous exploitation, such as sending one malicious request per second, can keep the server in this overloaded state, preventing normal operation and access to hosted applications or services.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusual or excessive CPU usage on servers running vulnerable versions of ASP.NET Core Kestrel (before .NET 8.0.22 and .NET 9.0.11). Specifically, detection involves identifying remote QUIC connections that send crafted QUIC STREAM frames with stream_id=6, fin_bit=1, offset=0, and an empty payload representing Qpack Encoder data.'}, {'type': 'paragraph', 'content': 'To detect such malicious activity, you can use network packet capture tools like tcpdump or Wireshark to filter QUIC traffic and inspect stream frames for the described parameters.'}, {'type': 'list_item', 'content': "Use tcpdump to capture QUIC traffic on the server's network interface: tcpdump -i <interface> udp port 443 -w capture.pcap"}, {'type': 'list_item', 'content': 'Analyze the capture with Wireshark, filtering for QUIC STREAM frames with stream_id=6 and fin_bit=1.'}, {'type': 'list_item', 'content': 'Monitor CPU usage on the server using commands like top or htop to identify spikes in CPU consumption that correlate with suspicious QUIC traffic.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to update the ASP.NET Core Kestrel server to a fixed version where the vulnerability is resolved. Specifically, upgrade to Microsoft .NET 8.0.22 or later, or .NET 9.0.11 or later.
The fix addresses the improper handling of HTTP/3 encoder and decoder streams that cause excessive CPU consumption when processing crafted QUIC packets.
Until the update can be applied, consider implementing network-level protections such as rate limiting or blocking suspicious QUIC traffic that matches the exploit pattern (e.g., QUIC STREAM frames with stream_id=6 and fin_bit=1 with empty payloads) to reduce the risk of denial-of-service.