CVE-2024-38229

Use After Free
Affects
ASP.NET Core Runtime
>= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.8 >= 9.0.0-preview.1.24081.5 <= 9.0.0.RC.1
in
.NET
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

.NET is a free, open-source, cross-platform framework for building modern apps and powerful cloud services. It consists of a runtime and a developer platform made up of tools, programming languages, and libraries for building many different types of applications. ASP.NET Core extends the .NET developer platform with tools and libraries specifically for building web apps. ASP.NET Core is the open-source version of ASP.NET, that runs on macOS, Linux, and Windows. ASP.NET Core was first released in 2016 and is a re-design of earlier Windows-only versions of ASP.NET.

A vulnerability (CVE-2024-38229) exists in ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead to use-after-free, resulting in Remote Code Execution.

Per CWE-416: Use After Free, Use After Free is when a product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

This issue affects ASP.NET 6.0.0 <= 6.0.36, 8.0.0 <= 8.0.8, 9.0.0-preview.1.24081.5 <= 9.0.0.RC.1. 

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Details

Module Info

  • Product: 
    • Any ASP.NET 6.0 application running on .NET 6.0.36 or earlier.
    • Any ASP.NET 8.0 application running on .NET 8.0.8 or earlier.
    • Any ASP.NET 9.0 application running on .NET 9.0.0.RC.1 or earlier.
  • Affected packages: 
    • Microsoft.AspNetCore.App.Runtime.linux-arm
    • Microsoft.AspNetCore.App.Runtime.linux-arm64
    • Microsoft.AspNetCore.App.Runtime.linux-musl-arm
    • Microsoft.AspNetCore.App.Runtime.linux-musl-arm64
    • Microsoft.AspNetCore.App.Runtime.linux-musl-x64
    • Microsoft.AspNetCore.App.Runtime.linux-x64
    • Microsoft.AspNetCore.App.Runtime.osx-arm64
    • Microsoft.AspNetCore.App.Runtime.osx-x64
    • Microsoft.AspNetCore.App.Runtime.win-arm
    • Microsoft.AspNetCore.App.Runtime.win-arm64
    • Microsoft.AspNetCore.App.Runtime.win-x64
    • Microsoft.AspNetCore.App.Runtime.win-x86
  • Affected versions: 
    • >= 6.0.0 <= 6.0.36
    • >= 8.0.0 <= 8.0.8
    • >= 9.0.0-preview.1.24081.5 <= 9.0.0.RC.1
  • GitHub repository: https://github.com/dotnet/aspnetcore 
  • Published packages: Download .NET (Linux, macOS, and Windows)
  • Package manager: 
    • Nuget
    • Windows Installer
    • Docker
  • Fixed in: .NET - Never-Ending Support (NES) | HeroDevs v6.1.0

Vulnerability Info

This High-severity vulnerability is found in Kestrel within the ASP.NET Core Runtime and affects applications using HTTP/3. An attacker could exploit this by closing an HTTP/3 stream while the request body is being processed leading to a race condition. This could result in remote code execution. Note: HTTP/3 is experimental in .NET 6.0 and is not currently enabled by default in ASP.NET Core applications.

Credits

  • Radek Zikmund of Microsoft Corporation

Mitigation

ASP.NET Core 6.x is End-of-Life and will not receive any updates to address this issue. For more information see .NET and .NET Core official support policy.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to one of:
    • ASP.NET Core Runtime >= 8.0.10
    • ASP.NET Core Runtime >= 9.0.0.RC2
    • .NET SDK 8.0.407
    • .NET SDK 8.0.310
    • .NET SDK 8.0.114
    • .NET SDK 9.0.0.RC2
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Vulnerability Details
ID
CVE-2024-38229
PROJECT Affected
ASP.NET Core Runtime
Versions Affected
>= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.8 >= 9.0.0-preview.1.24081.5 <= 9.0.0.RC.1
Published date
April 4, 2025
≈ Fix date
April 4, 2025
Fixed in
Severity
High
Category
Use After Free
Sign up for the latest vulnerability alerts fixed in
NES for .NET
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.