CVE-2025-36854
Published: 08 September 2025
Summary
CVE-2025-36854 is a high-severity Use After Free (CWE-416) vulnerability in Herodevs (inferred from references). Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SA-22 (Unsupported System Components) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prohibits and monitors use of unsupported EOL ASP.NET components vulnerable to this unpatchable use-after-free flaw, preventing deployment and exploitation.
Requires identification, prioritization, and remediation of flaws like this CVE-2025-36854 use-after-free vulnerability through removal, replacement, or compensating controls.
Implements memory protections such as ASLR and DEP to mitigate exploitation of the use-after-free race condition for remote code execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free in public-facing ASP.NET web framework enables unauthenticated remote code execution over HTTP/3.
NVD Description
A vulnerability ( CVE-2024-38229 https://www.cve.org/CVERecord ) exists in EOL ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead to use-after-free, resulting in Remote Code Execution. Per CWE-416: Use After…
more
Free https://cwe.mitre.org/data/definitions/416.html , Use After Free is when a product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer. This issue affects EOL ASP.NET 6.0.0 <= 6.0.36 as represented in this CVE, as well as 8.0.0 <= 8.0.8, 9.0.0-preview.1.24081.5 <= 9.0.0.RC.1 as represented in CVE-2024-38229 https://www.cve.org/CVERecord . Additionally, if you've deployed self-contained applications https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. NOTE: This CVE only represents End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.
Deeper analysisAI
CVE-2025-36854 is a use-after-free vulnerability (CWE-416) in end-of-life (EOL) ASP.NET versions 6.0.0 through 6.0.36. The issue arises when an HTTP/3 stream is closed while application code is writing to the response body, creating a race condition that can lead to remote code execution. Self-contained applications targeting these impacted versions are also vulnerable and require recompilation and redeployment to mitigate the issue.
A remote, unauthenticated attacker can exploit this vulnerability over the network with high attack complexity, as indicated by its CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation allows the attacker to achieve remote code execution, potentially compromising confidentiality, integrity, and availability with high impact.
Microsoft has indicated that no future updates or support will be provided for these EOL software components. Related guidance for non-EOL versions appears in advisories for CVE-2024-38229, accessible via the Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38229 and additional details at https://www.herodevs.com/vulnerability-directory/cve-2024-38229.
Details
- CWE(s)