Cyber Resilience

CVE-2026-25667

HighPublic PoCDDoS

Published: 19 March 2026

Published
19 March 2026
Modified
22 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0660 91.4th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25667 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Microsoft .Net. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

ASP.NET Core Kestrel, the web server component in Microsoft .NET 8.0 prior to 8.0.22 and .NET 9.0 prior to 9.0.11, contains a denial-of-service vulnerability (CVE-2026-25667) that stems from an incorrect exit condition during HTTP/3 Encoder/Decoder stream processing over QUIC. The flaw is tracked under CWE-400 and carries a CVSS 3.1 score of 7.5, reflecting network-reachable, unauthenticated input that produces high availability impact without affecting confidentiality or integrity.

An unauthenticated remote attacker can trigger excessive CPU consumption simply by transmitting a single crafted QUIC packet, thereby degrading or halting service for the affected Kestrel instance. No user interaction or special privileges are required, and the attack surface is exposed whenever HTTP/3 is enabled.

Public references include a patch commit in the aspnetcore repository that corrects the stream-processing exit logic, along with proof-of-concept and fuzzing tools that demonstrate the packet construction. The associated EPSS score rose from a low baseline to a peak of 0.1450 on 2026-04-30 before receding to 0.0660, indicating measurable post-disclosure exploitation interest that warrants renewed attention even after the initial disclosure window.

EU & UK References

Vulnerability details

ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of public-facing Kestrel web server via crafted QUIC packet directly enables T1190 (Exploit Public-Facing Application) to achieve T1499.004 (Application or System Exploitation) resulting in CPU exhaustion DoS.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-21207Same vendor: Microsoft
CVE-2025-21389Same vendor: Microsoft
CVE-2025-21330Same vendor: Microsoft
CVE-2025-21300Same vendor: Microsoft
CVE-2025-21290Same vendor: Microsoft
CVE-2025-21270Same vendor: Microsoft
CVE-2025-21218Same vendor: Microsoft
CVE-2025-21289Same vendor: Microsoft
CVE-2025-21351Same vendor: Microsoft
CVE-2025-21251Same vendor: Microsoft

Affected Assets

microsoft
.net
8.0.0 — 8.0.22 · 9.0.0 — 9.0.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the CVE by requiring timely patching of the flawed HTTP/3 encoder/decoder in ASP.NET Core Kestrel to fix the incorrect exit condition causing CPU exhaustion.

prevent

Provides denial-of-service protections such as rate limiting or traffic filtering to block or limit crafted QUIC packets that trigger excessive CPU consumption.

prevent

Enforces resource availability controls like CPU limits or allocation restrictions to prevent uncontrolled resource consumption from malformed HTTP/3 stream processing.

References