CVE-2023-38180
Published: 08 August 2023
Summary
CVE-2023-38180 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Microsoft Visual Studio 2022. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 24.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2023-38180 is a denial of service vulnerability in .NET and Visual Studio that carries a CVSS v3.1 score of 7.5 and is linked to CWE-400 for uncontrolled resource consumption. The flaw permits remote, unauthenticated attackers to trigger excessive resource use that can render affected components unavailable.
An attacker with network access can send specially crafted requests to exploit the issue and achieve a denial-of-service condition without requiring user interaction or credentials.
Microsoft security updates address the vulnerability, and administrators are advised to apply the patches referenced in the Microsoft Security Response Center advisory. Fedora package maintainers have also issued updated builds to resolve the exposure in their distributions.
The CVE is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. EPSS scores have remained low, with a current value of 0.0088 and a peak of 0.0109.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2363
Vulnerability details
.NET and Visual Studio Denial of Service Vulnerability
- CWE(s)
- KEV Date Added
- 09 August 2023
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly implements protections against network-based resource-exhaustion attacks that match the crafted-request DoS vector in CVE-2023-38180.
Limits allocation and consumption of system resources, preventing the excessive usage triggered by the unauthenticated requests described in the CVE.
Requires validation of incoming data to reject malformed inputs before they can cause the resource-consumption flaw (CWE-400) exploited by CVE-2023-38180.