Lars Eidnes

**Name of the Vulnerable Software and Affected Versions** .NET Core 3.1 versions 3.1.0 through 3.1.24 .NET 5.0 versions 5.0.0 through 5.0.16 .NET 6.0 versions 6.0.0 through 6.0.4 **Description** The vulnerability is related to the incorrect cleanup or release of resources in Microsoft Visual Studio and the .NET Framework. It can be exploited by a remote attacker to cause a denial of service when HTML forms are parsed. A malicious client can cause the denial of service. **Recommendations** For .NET Core 3.1 versions 3.1.0 through 3.1.24, update to Runtime 3.1.25 or SDK 3.1.419. For .NET 5.0 versions 5.0.0 through 5.0.16, update to Runtime 5.0.17 or SDK 5.0.214 or SDK 5.0.408. For .NET 6.0 versions 6.0.0 through 6.0.4, update to Runtime 6.0.5 or SDK 6.0.105 or SDK 6.0.203.

**Name of the Vulnerable Software and Affected Versions** .NET 6.0 versions 6.0.0 through 6.0.2 .NET 5.0 versions 5.0.0 through 5.0.14 .NET Core 3.1 versions 3.1.0 through 3.1.22 **Description** The issue is related to incorrect clearing or release of resources, which can be exploited by a remote attacker to cause a denial of service. The vulnerability exists in .NET 6.0, .NET 5.0, and .NET Core 3.1 when parsing certain types of HTTP form requests. **Recommendations** To fix the issue, update .NET 6.0 to version 6.0.3 or later. To fix the issue, update .NET 5.0 to version 5.0.15 or later. To fix the issue, update .NET Core 3.1 to version 3.1.23 or later. As a temporary workaround, consider restricting access to the vulnerable HTTP form request parsing functionality until a patch is available.