CVE-2026-25667
Published: 19 March 2026
Summary
CVE-2026-25667 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Microsoft .Net. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 5.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely patching of the flawed HTTP/3 encoder/decoder in ASP.NET Core Kestrel to fix the incorrect exit condition causing CPU exhaustion.
Provides denial-of-service protections such as rate limiting or traffic filtering to block or limit crafted QUIC packets that trigger excessive CPU consumption.
Enforces resource availability controls like CPU limits or allocation restrictions to prevent uncontrolled resource consumption from malformed HTTP/3 stream processing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated exploitation of public-facing Kestrel web server via crafted QUIC packet directly enables T1190 (Exploit Public-Facing Application) to achieve T1499.004 (Application or System Exploitation) resulting in CPU exhaustion DoS.
NVD Description
ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.
Deeper analysisAI
CVE-2026-25667 is a denial-of-service vulnerability in ASP.NET Core Kestrel, the cross-platform web server for ASP.NET Core applications. It affects Microsoft .NET 8.0 versions prior to 8.0.22 and .NET 9.0 versions prior to 9.0.11. The issue stems from an incorrect exit condition in the HTTP/3 Encoder/Decoder stream processing, which allows a remote attacker to trigger excessive CPU consumption by sending a crafted QUIC packet. The vulnerability is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is associated with CWE-400 (Uncontrolled Resource Consumption).
A remote, unauthenticated attacker can exploit this vulnerability by sending a specially crafted QUIC packet to a vulnerable ASP.NET Core Kestrel server handling HTTP/3 traffic. No user interaction or privileges are required, making it accessible over the network with low complexity. Successful exploitation results in high-impact availability disruption through sustained high CPU usage, potentially leading to service degradation or denial of service on the targeted server.
Mitigation involves updating to .NET 8.0.22 or later for .NET 8.0 installations and .NET 9.0.11 or later for .NET 9.0 installations, as detailed in the fixing commit in the ASP.NET Core repository. Proof-of-concept exploits and fuzzing tools are available in related GitHub repositories, including Kestrel-DoS and Q3Fuzz, demonstrating the issue's reproducibility.
Details
- CWE(s)