Cyber Resilience

CVE-2023-38180

HighCISA KEVActive ExploitationEUVD ExploitedDDoS

Published: 08 August 2023

Published
08 August 2023
Modified
28 October 2025
KEV Added
09 August 2023
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0088 75.8th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38180 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Microsoft Visual Studio 2022. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 24.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2023-38180 is a denial of service vulnerability in .NET and Visual Studio that carries a CVSS v3.1 score of 7.5 and is linked to CWE-400 for uncontrolled resource consumption. The flaw permits remote, unauthenticated attackers to trigger excessive resource use that can render affected components unavailable.

An attacker with network access can send specially crafted requests to exploit the issue and achieve a denial-of-service condition without requiring user interaction or credentials.

Microsoft security updates address the vulnerability, and administrators are advised to apply the patches referenced in the Microsoft Security Response Center advisory. Fedora package maintainers have also issued updated builds to resolve the exposure in their distributions.

The CVE is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. EPSS scores have remained low, with a current value of 0.0088 and a peak of 0.0109.

EU & UK References

Vulnerability details

.NET and Visual Studio Denial of Service Vulnerability

CWE(s)
KEV Date Added
09 August 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

microsoft
.net
6.0.0 — 6.0.21 · 7.0.0 — 7.0.10
microsoft
asp.net core
2.1 — 2.1.40
microsoft
visual studio 2022
17.2.0 — 17.2.18 · 17.4.0 — 17.4.10 · 17.6.0 — 17.6.6
fedoraproject
fedora
37, 38

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements protections against network-based resource-exhaustion attacks that match the crafted-request DoS vector in CVE-2023-38180.

prevent

Limits allocation and consumption of system resources, preventing the excessive usage triggered by the unauthenticated requests described in the CVE.

prevent

Requires validation of incoming data to reject malformed inputs before they can cause the resource-consumption flaw (CWE-400) exploited by CVE-2023-38180.

References