What is CVE-2022-38013?

CVE-2022-38013 is a denial of service vulnerability in .NET Core and Visual Studio.

Which software is affected by CVE-2022-38013?

The affected software includes Microsoft .NET 6.0.0, Microsoft .NET Core 3.1, Microsoft Visual Studio 2019 versions 16.9 and 16.11, and Microsoft Visual Studio 2022 versions 17.0, 17.2, and 17.3.

What is the severity of CVE-2022-38013?

CVE-2022-38013 has a severity rating of high (7.5).

How can I fix CVE-2022-38013?

To fix CVE-2022-38013, it is recommended to update to the latest versions of the affected software.

Where can I find more information about CVE-2022-38013?

You can find more information about CVE-2022-38013 at the following references: [link 1](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAY/), [link 2](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVE/), [link 3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7Y/)

Vulnerability/
CVE-2022-38013

high

7.5

13/9/2022

15/9/2022

20/12/2023

CVE-2022-38013: .NET Core and Visual Studio Denial of Service Vulnerability

First published: Tue Sep 13 2022(Updated: )

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core 3.1 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A denial of service vulnerability exists in ASP.NET Core 3.1 and .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding. ## <a name="affected-software"></a>Affected software * Any .NET 6.0 application running on .NET 6.0.8 or earlier. * Any ASP.NET Core 3.1 application running on .NET Core 3.1.28 or earlier. If your application uses the following package versions, ensure you update to the latest version of .NET. ### <a name="ASP.NET Core 3.1"></a>.NET Core 3.1 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)|>= 3.1.5, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)|>= 3.1.0, < 3.1.29|3.1.29 [Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)|>= 3.1.0, < 3.1.29|3.1.29 ### <a name=".NET 6"></a>.NET 6 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-arm64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm)|>= 5.0.1, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-musl-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.linux-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-arm64)|>= 6.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.osx-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-arm64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x64)|>= 5.0.0, < 6.0.9|6.0.9 [Microsoft.AspNetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.AspNetCore.App.Runtime.win-x86)|>= 5.0.0, < 6.0.9|6.0.9 ### Other Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/234 An Issue for this can be found at https://github.com/dotnet/aspnetcore/issues/43953 MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38013

Credit: secure@microsoft.com secure@microsoft.com secure@microsoft.com

Affected Software	Affected Version	How to fix
Microsoft .NET	=6.0.0
Microsoft .NET Core	=3.1
Microsoft Visual Studio 2019	=16.9
Microsoft Visual Studio 2019	=16.11
Microsoft Visual Studio 2022	=17.0
Microsoft Visual Studio 2022	=17.2
Microsoft Visual Studio 2022	=17.3
Microsoft Visual Studio 2022	=17.3
Fedoraproject Fedora	=35
Fedoraproject Fedora	=36
Fedoraproject Fedora	=37
nuget/Microsoft.AspNetCore.App.Runtime.win-x86	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.win-x64	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.win-arm64	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.win-arm	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.osx-x64	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.osx-arm64	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.linux-x64	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.linux-arm	>=5.0.0<6.0.9	6.0.9
nuget/Microsoft.AspNetCore.App.Runtime.win-x86	>=3.1.0<3.1.29	3.1.29
nuget/Microsoft.AspNetCore.App.Runtime.win-x64	>=3.1.0<3.1.29	3.1.29
nuget/Microsoft.AspNetCore.App.Runtime.win-arm64	>=3.1.0<3.1.29	3.1.29
nuget/Microsoft.AspNetCore.App.Runtime.win-arm	>=3.1.0<3.1.29	3.1.29
nuget/Microsoft.AspNetCore.App.Runtime.osx-x64	>=3.1.0<3.1.29	3.1.29
nuget/Microsoft.AspNetCore.App.Runtime.linux-x64	>=3.1.0<3.1.29	3.1.29
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-x64	>=3.1.0<3.1.29	3.1.29
nuget/Microsoft.AspNetCore.App.Runtime.linux-musl-arm64	>=3.1.0<3.1.29	3.1.29
nuget/Microsoft.AspNetCore.App.Runtime.linux-arm64	>=3.1.0<3.1.29	3.1.29
nuget/Microsoft.AspNetCore.App.Runtime.linux-arm	>=3.1.0<3.1.29	3.1.29

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2022-38013?
CVE-2022-38013 is a denial of service vulnerability in .NET Core and Visual Studio.
Which software is affected by CVE-2022-38013?
The affected software includes Microsoft .NET 6.0.0, Microsoft .NET Core 3.1, Microsoft Visual Studio 2019 versions 16.9 and 16.11, and Microsoft Visual Studio 2022 versions 17.0, 17.2, and 17.3.
What is the severity of CVE-2022-38013?
CVE-2022-38013 has a severity rating of high (7.5).
How can I fix CVE-2022-38013?
To fix CVE-2022-38013, it is recommended to update to the latest versions of the affected software.
Where can I find more information about CVE-2022-38013?
You can find more information about CVE-2022-38013 at the following references: [link 1](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2CUL3Z7MEED7RFQZVGQL2MTKSFFZKAAY/), [link 2](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7HCV4TQGOTOFHO5ETRKGFKAGYV2YAUVE/), [link 3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JA6F4CDKLI3MALV6UK3P2DR5AGCLTT7Y/)

agent/author
agent/description
agent/event
agent/first-publish-date
agent/last-modified-date
agent/references
agent/remedy
agent/severity
agent/softwarecombine
agent/tags
agent/title
agent/type
collector/github-advisory
alias/GHSA-r8m2-4x37-6592
alias/CVE-2022-38013
collector/github-advisory-latest
collector/mitre-cve
collector/nvd-api
agent/software-canonical-lookup-request
collector/nvd-cve
collector/nvd-index
package-manager/nuget
vendor/microsoft
canonical/microsoft .net
version/microsoft .net/6.0.0
canonical/microsoft .net core
version/microsoft .net core/3.1
canonical/microsoft visual studio 2019
version/microsoft visual studio 2019/16.9
version/microsoft visual studio 2019/16.11
canonical/microsoft visual studio 2022
version/microsoft visual studio 2022/17.0
version/microsoft visual studio 2022/17.2
version/microsoft visual studio 2022/17.3
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/35
version/fedoraproject fedora/36
version/fedoraproject fedora/37