CVE-2026-25667 Overview
ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing. This vulnerability represents a Denial of Service (DoS) condition that can be exploited remotely without authentication, potentially causing service unavailability for applications utilizing HTTP/3 protocol support in Kestrel web server.
Critical Impact
Remote attackers can cause CPU exhaustion in ASP.NET Core applications using HTTP/3, leading to service degradation or complete unavailability without requiring authentication.
Affected Products
- Microsoft .NET 8.0 (versions before 8.0.22)
- Microsoft .NET 9.0 (versions before 9.0.11)
- ASP.NET Core Kestrel Web Server with HTTP/3 enabled
Discovery Timeline
- 2026-03-19 - CVE CVE-2026-25667 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-25667
Vulnerability Analysis
This vulnerability exists within the HTTP/3 Encoder/Decoder stream processing logic in ASP.NET Core's Kestrel web server. The flaw stems from an incorrect exit condition in the Http3ControlStream.cs component, which handles QUIC-based HTTP/3 connections. When processing specially crafted QUIC packets, the vulnerable code fails to properly terminate stream processing, resulting in excessive CPU cycles being consumed. This creates a resource exhaustion condition that can degrade or entirely halt service availability for legitimate users.
The vulnerability affects the HTTP/3 protocol implementation built on top of QUIC, which is designed to improve web performance through multiplexed connections and reduced latency. However, the incorrect exit condition in the stream handler allows attackers to exploit the protocol's stream processing mechanisms to trigger sustained high CPU utilization.
Root Cause
The root cause is an incorrect exit condition in the HTTP/3 Encoder/Decoder stream processing within Http3ControlStream.cs. The code failed to properly register a stream closure callback, which is necessary to handle stream lifecycle events correctly. Without proper stream closure handling, malformed QUIC packets could cause the server to enter a state of continuous processing, consuming excessive CPU resources.
Attack Vector
An attacker can exploit this vulnerability remotely by sending specially crafted QUIC packets to a Kestrel server with HTTP/3 enabled. The attack does not require authentication and can be performed over the network. The malicious packets target the HTTP/3 Encoder/Decoder stream processing logic, triggering the faulty exit condition and causing the server to consume excessive CPU resources. This can result in denial of service for all users attempting to access the affected application.
// Security patch in src/Servers/Kestrel/Core/src/Internal/Http3/Http3ControlStream.cs
// Merged PR 54041: Fix Http3 Encoder/Decoder stream exit condition
context.ClientPeerSettings,
this);
_frameWriter.Reset(context.Transport.Output, context.ConnectionId);
+
+ _streamClosedFeature.OnClosed(static state =>
+ {
+ var stream = (Http3ControlStream)state!;
+ stream.OnStreamClosed();
+ }, this);
}
private void OnStreamClosed()
Source: GitHub ASP.NET Core Commit
Detection Methods for CVE-2026-25667
Indicators of Compromise
- Unusual CPU utilization spikes on servers running ASP.NET Core applications with HTTP/3 enabled
- High volume of QUIC connection attempts from single or distributed source IPs
- Abnormal HTTP/3 stream processing duration in Kestrel logs
- Application unresponsiveness or timeout errors reported by legitimate users
Detection Strategies
- Monitor CPU utilization patterns for ASP.NET Core processes, especially those handling HTTP/3 traffic
- Implement network-level monitoring for abnormal QUIC packet patterns or malformed HTTP/3 frames
- Configure application performance monitoring (APM) to alert on unusual request processing times
- Analyze Kestrel server logs for repeated HTTP/3 stream processing errors or anomalies
Monitoring Recommendations
- Deploy real-time CPU and memory monitoring for all production .NET applications with HTTP/3 enabled
- Establish baseline metrics for normal HTTP/3 traffic patterns to identify deviations
- Configure SentinelOne agents to detect and alert on process-level resource exhaustion indicators
- Implement network flow analysis to identify potential DoS attack sources
How to Mitigate CVE-2026-25667
Immediate Actions Required
- Upgrade Microsoft .NET 8.0 to version 8.0.22 or later immediately
- Upgrade Microsoft .NET 9.0 to version 9.0.11 or later immediately
- Temporarily disable HTTP/3 support in Kestrel if patching is not immediately possible
- Implement rate limiting on QUIC connections at the network perimeter
Patch Information
Microsoft has addressed this vulnerability in .NET 8.0.22 and .NET 9.0.11 releases. The fix adds proper stream closure callback registration in the Http3ControlStream.cs component, ensuring that stream lifecycle events are handled correctly. The security patch can be verified in the GitHub ASP.NET Core Commit. Organizations should apply the patch through standard .NET SDK update procedures.
Workarounds
- Disable HTTP/3 protocol support in Kestrel configuration until patching is complete
- Implement network-level filtering to block suspicious QUIC traffic patterns
- Configure load balancers to terminate HTTP/3 connections before reaching vulnerable servers
- Deploy WAF rules to detect and block potential exploitation attempts
# Kestrel configuration to disable HTTP/3 (appsettings.json)
# Add this configuration to disable HTTP/3 temporarily as a workaround
{
"Kestrel": {
"EndpointDefaults": {
"Protocols": "Http1AndHttp2"
}
}
}
# Alternative: Disable QUIC at the server level
# In Program.cs, configure Kestrel without HTTP/3
# webBuilder.ConfigureKestrel(options =>
# {
# options.ListenAnyIP(5001, listenOptions =>
# {
# listenOptions.Protocols = HttpProtocols.Http1AndHttp2;
# });
# });
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
