CVE-2026-25667
Published: 19 March 2026
Summary
CVE-2026-25667 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Microsoft .Net. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
ASP.NET Core Kestrel, the web server component in Microsoft .NET 8.0 prior to 8.0.22 and .NET 9.0 prior to 9.0.11, contains a denial-of-service vulnerability (CVE-2026-25667) that stems from an incorrect exit condition during HTTP/3 Encoder/Decoder stream processing over QUIC. The flaw is tracked under CWE-400 and carries a CVSS 3.1 score of 7.5, reflecting network-reachable, unauthenticated input that produces high availability impact without affecting confidentiality or integrity.
An unauthenticated remote attacker can trigger excessive CPU consumption simply by transmitting a single crafted QUIC packet, thereby degrading or halting service for the affected Kestrel instance. No user interaction or special privileges are required, and the attack surface is exposed whenever HTTP/3 is enabled.
Public references include a patch commit in the aspnetcore repository that corrects the stream-processing exit logic, along with proof-of-concept and fuzzing tools that demonstrate the packet construction. The associated EPSS score rose from a low baseline to a peak of 0.1450 on 2026-04-30 before receding to 0.0660, indicating measurable post-disclosure exploitation interest that warrants renewed attention even after the initial disclosure window.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-13148
Vulnerability details
ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing Kestrel web server via crafted QUIC packet directly enables T1190 (Exploit Public-Facing Application) to achieve T1499.004 (Application or System Exploitation) resulting in CPU exhaustion DoS.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates the CVE by requiring timely patching of the flawed HTTP/3 encoder/decoder in ASP.NET Core Kestrel to fix the incorrect exit condition causing CPU exhaustion.
Provides denial-of-service protections such as rate limiting or traffic filtering to block or limit crafted QUIC packets that trigger excessive CPU consumption.
Enforces resource availability controls like CPU limits or allocation restrictions to prevent uncontrolled resource consumption from malformed HTTP/3 stream processing.