{"id":"CVE-2026-25667","details":"ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.","aliases":["BIT-dotnet-2026-25667","BIT-dotnet-sdk-2026-25667"],"modified":"2026-04-17T04:57:18.685166193Z","published":"2026-03-19T19:16:19.880Z","references":[{"type":"FIX","url":"https://github.com/dotnet/aspnetcore/commit/96ccc40a0e095424b19506e8268b9b1a3e23d6a7#diff-667d5b3693f93a0f706ab211428998b210862f9b885d917104d2013118312626"},{"type":"PACKAGE","url":"https://github.com/IsaJafarov/Kestrel-DoS"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/dotnet/aspnetcore","events":[{"introduced":"3f1acb59718cadf111a0a796681e3d3509bb3381"},{"fixed":"ee417479933278bb5aadc5944706a96b5ef74a5d"},{"introduced":"af22effae4069a5dfb9b0735859de48820104f5b"},{"fixed":"d3aba8fe1a0d0f5c145506f292b72ea9d28406fc"},{"fixed":"96ccc40a0e095424b19506e8268b9b1a3e23d6a7"}],"database_specific":{"versions":[{"introduced":"8.0"},{"fixed":"8.0.22"},{"introduced":"9.0"},{"fixed":"9.0.11"}]}}],"versions":["v8.0.0","v8.0.1","v8.0.10","v8.0.11","v8.0.12","v8.0.13","v8.0.14","v8.0.15","v8.0.16","v8.0.17","v8.0.18","v8.0.19","v8.0.2","v8.0.20","v8.0.21","v8.0.3","v8.0.4","v8.0.5","v8.0.7","v8.0.8"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-25667.json"}}],"schema_version":"1.7.5"}