CVE-2025-36854

Name of the Vulnerable Software and Affected Versions: EOL ASP.NET versions 6.0.0 through 6.0.36 EOL ASP.NET versions 8.0.0 through 8.0.8 EOL ASP.NET versions 9.0.0-preview.1.24081.5 through 9.0.0.RC.1

Description: A race condition may occur when closing an HTTP/3 stream while application code is writing to the response body, potentially leading to a use-after-free condition and resulting in Remote Code Execution. Use-after-free occurs when memory is reused or referenced after it has been freed, potentially leading to invalid operations if the memory has been reallocated. Self-contained applications targeting any of the impacted versions are also vulnerable and require recompilation and redeployment.

Recommendations: EOL ASP.NET version 6.0.0 through 6.0.36: Recompile and redeploy self-contained applications. EOL ASP.NET version 8.0.0 through 8.0.8: Recompile and redeploy self-contained applications. EOL ASP.NET version 9.0.0-preview.1.24081.5 through 9.0.0.RC.1: Recompile and redeploy self-contained applications.