Isa Jafarov

**Name of the Vulnerable Software and Affected Versions** ASP.NET Core versions prior to 8.0.22 ASP.NET Core versions prior to 9.0.11 **Description** A remote attacker can cause excessive CPU consumption by sending a crafted QUIC packet. This is due to an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing within the Kestrel component. **Recommendations** Update ASP.NET Core to version 8.0.22 or later. Update ASP.NET Core to version 9.0.11 or later.

**Name of the Vulnerable Software and Affected Versions** Apache HTTP Server versions 2.4.55 through 2.4.57 **Description** The issue is related to a HTTP/2 connection with an initial window size of 0, which can block handling of that connection indefinitely in Apache HTTP Server. This could be used to exhaust worker resources in the server, similar to the well known "slow loris" attack pattern. The connection can be terminated properly after the configured connection timeout in version 2.4.58. **Recommendations** Apache HTTP Server versions 2.4.55 through 2.4.57: Upgrade to version 2.4.58, which fixes the issue. As a temporary workaround, consider configuring the connection timeout to a lower value to minimize the risk of exploitation.