What is the severity of CVE-2023-29331?

CVE-2023-29331 has a severity rating that could lead to unbounded CPU usage due to a Denial of Service vulnerability in .NET applications using X509 certificates.

How do I fix CVE-2023-29331?

To fix CVE-2023-29331, update to the latest versions of affected products such as .NET 7.0 or .NET 6.0 following Microsoft's security guidelines.

Which software versions are affected by CVE-2023-29331?

CVE-2023-29331 affects .NET 6.0 and .NET 7.0, including various versions of Visual Studio 2022.

Can CVE-2023-29331 be exploited remotely?

Yes, CVE-2023-29331 can be exploited remotely when a malicious client presents an X509 certificate to an internet-facing .NET application.

What should developers do to mitigate CVE-2023-29331?

Developers should ensure they are implementing proper validation of client certificates and promptly apply patches or updates from Microsoft.

Vulnerability/
CVE-2023-29331

high

7.5

CWE

400

6/6/2023

13/6/2023

14/6/2023

28/2/2025

CVE-2023-29331: .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability

First published: Tue Jun 06 2023(Updated: )

.NET Kestrel: Denial of Service processing X509 Certificates When a .NET application is internet-facing and accepts an X509 client certificate for mutual TLS, a malicious client certificate can cause unbounded CPU usage.

Credit: secure@microsoft.com secure@microsoft.com secure@microsoft.com

Affected Software	Affected Version	How to fix
Microsoft .NET 7.0		fix available externally
Microsoft .NET 6.0		fix available externally
nuget/Microsoft.NetCore.App.Runtime.win-x86	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.win-x86	>=7.0.0<=7.0.5	7.0.7
nuget/Microsoft.NetCore.App.Runtime.win-x64	>=7.0.0<=7.0.5	7.0.7
nuget/Microsoft.NetCore.App.Runtime.win-x64	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.win-arm64	>=7.0.0<=7.0.5	7.0.7
nuget/Microsoft.NetCore.App.Runtime.win-arm64	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.win-arm	>=7.0.0<=7.0.5	7.0.7
nuget/Microsoft.NetCore.App.Runtime.win-arm	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.osx-x64	>=7.0.0<=7.0.5	7.0.7
nuget/Microsoft.NetCore.App.Runtime.osx-x64	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.osx-arm64	>=7.0.0<=7.0.5	7.0.7
nuget/Microsoft.NetCore.App.Runtime.osx-arm64	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.linux-x64	>=7.0.0<=7.0.5	7.0.7
nuget/Microsoft.NetCore.App.Runtime.linux-x64	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.linux-musl-x64	>=7.0.0<=7.0.5	7.0.7
nuget/Microsoft.NetCore.App.Runtime.linux-musl-x64	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.linux-musl-arm64	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.linux-musl-arm64	>=7.0.0<=7.0.5	7.0.7
nuget/Microsoft.NetCore.App.Runtime.linux-musl-arm	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.linux-musl-arm	>=7.0.0<=7.0.5	7.0.7
nuget/Microsoft.NetCore.App.Runtime.linux-arm64	>=7.0.0<=7.0.5	7.0.7
nuget/Microsoft.NetCore.App.Runtime.linux-arm64	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.linux-arm	>=6.0.0<=6.0.16	6.0.18
nuget/Microsoft.NetCore.App.Runtime.linux-arm	>=7.0.0<=7.0.5	7.0.7
nuget/System.Security.Cryptography.Pkcs	>=6.0.0<=6.0.2	6.0.3
nuget/System.Security.Cryptography.Pkcs	>=7.0.0<=7.0.1	7.0.2
nuget/Microsoft.Windows.Compatibility	>=6.0.0<=6.0.4	6.0.6
nuget/Microsoft.Windows.Compatibility	>=7.0.0<=7.0.1	7.0.3
Microsoft .NET Framework	=3.5	fix available externally
Microsoft PowerShell		fix available externally
Microsoft PowerShell		fix available externally
Microsoft .NET Framework 4	=3.0	fix available externally fix available externally
Microsoft .NET Framework 4	=4.6.2	fix available externally fix available externally
Microsoft .NET Framework 4	=2.0	fix available externally fix available externally
Microsoft .NET Framework 4	=4.6.2=4.7=4.7.1=4.7.2	fix available externally fix available externally
Microsoft .NET Framework 4	=3.0	fix available externally fix available externally
Microsoft .NET Framework 4	=3.5.1	fix available externally fix available externally
Microsoft .NET Framework 4	=2.0	fix available externally fix available externally
Microsoft .NET Framework 4	=4.8	fix available externally fix available externally
Microsoft .NET Framework 4	=4.6.2=4.7=4.7.1=4.7.2	fix available externally fix available externally
Microsoft .NET Framework 4	=3.5	fix available externally fix available externally
Microsoft .NET Framework 4	=4.8	fix available externally fix available externally
Microsoft .NET Framework 4	=4.8	fix available externally fix available externally
Microsoft .NET Framework 4	=3.5	fix available externally fix available externally
Microsoft .NET Framework 4	=4.6.2=4.7=4.7.1=4.7.2	fix available externally fix available externally
Microsoft .NET Framework 4	=3.5=4.6.2=4.7=4.7.1=4.7.2	fix available externally
Microsoft .NET Framework 4	=4.8	fix available externally
Microsoft .NET Framework 4	=3.5=4.7.2	fix available externally
Microsoft .NET Framework 4	=3.5=4.8	fix available externally
Microsoft .NET Framework 4	=3.5=4.7.2	fix available externally
Microsoft .NET Framework 4	=3.5=4.8	fix available externally
Microsoft .NET Framework 4	=3.5=4.8.1	fix available externally
Microsoft .NET Framework 4	=3.5=4.8	fix available externally
Microsoft .NET Framework 4	=3.5=4.8.1	fix available externally
Microsoft .NET Framework 4	=3.5=4.8.1	fix available externally
Microsoft .NET Framework 4	=3.5=4.8	fix available externally
Microsoft .NET Framework 4	=3.5=4.8.1	fix available externally
Microsoft .NET Framework 4	=3.5=4.8.1	fix available externally
All of
Any of
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows Server	=r2-sp1
Microsoft Windows Server
Microsoft Windows Server	=r2
Microsoft Windows Server 2016
Microsoft .NET Framework 4	=4.8
All of
Any of
Microsoft Windows Server	=r2-sp1
Microsoft Windows Server
Microsoft Windows Server	=r2
Any of
Microsoft .NET Framework 4	=4.6.2
Microsoft .NET Framework 4	=4.7
Microsoft .NET Framework 4	=4.7.1
Microsoft .NET Framework 4	=4.7.2
All of
Any of
Microsoft Windows Server	=sp2
Microsoft Windows Server	=sp2
Microsoft Windows Server
Microsoft Windows Server	=r2
Microsoft .NET Framework 4	=4.6.2
All of
Microsoft Windows Server	=r2-sp1
Microsoft .NET Framework 4	=3.5.1
All of
Any of
Microsoft Windows 10
Microsoft Windows 10
Any of
Microsoft .NET Framework 4	=3.5
Microsoft .NET Framework 4	=4.6.2
All of
Any of
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Windows 11
Windows 11
Windows 11
Windows 11
Microsoft Windows Server 2022
Any of
Microsoft .NET Framework 4	=3.5
Microsoft .NET Framework 4	=4.8.1
All of
Any of
Microsoft .NET Framework 4	=3.5
Microsoft .NET Framework 4	=4.8
Any of
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Windows 11
Windows 11
Windows 11
Windows 11
Microsoft Windows Server 2019
Microsoft Windows Server 2022
All of
Any of
Microsoft .NET Framework 4	=3.5
Microsoft .NET Framework 4	=4.7.2
Any of
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows Server 2019
All of
Any of
Microsoft .NET Framework 4	=3.5
Microsoft .NET Framework 4	=4.6.2
Microsoft .NET Framework 4	=4.7
Microsoft .NET Framework 4	=4.7.1
Microsoft .NET Framework 4	=4.7.2
Any of
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows Server 2016
All of
Microsoft .NET Framework 4	=3.5
Any of
Microsoft Windows Server
Microsoft Windows Server	=r2
All of
Microsoft .NET Framework 4	=3.0-sp2
Any of
Microsoft Windows Server	=sp2
Microsoft Windows Server	=sp2
All of
Microsoft .NET Framework 4	=2.0-sp2
Any of
Microsoft Windows Server	=sp2
Microsoft Windows Server	=sp2
Microsoft .NET Framework	=6.0.0
Microsoft .NET Framework	=7.0.0
Microsoft .NET Framework 4	=4.8
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows Server	=r2-sp1
Microsoft Windows Server
Microsoft Windows Server	=r2
Microsoft Windows Server 2016
Microsoft .NET Framework 4	=4.6.2
Microsoft .NET Framework 4	=4.7
Microsoft .NET Framework 4	=4.7.1
Microsoft .NET Framework 4	=4.7.2
Microsoft Windows Server	=sp2
Microsoft Windows Server	=sp2
Microsoft .NET Framework 4	=3.5.1
Microsoft .NET Framework 4	=3.5
Microsoft Windows 10
Microsoft Windows 10
Microsoft .NET Framework 4	=4.8.1
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows 10
Windows 11
Windows 11
Windows 11
Windows 11
Microsoft Windows Server 2022
Microsoft Windows 10
Microsoft Windows 10
Microsoft Windows Server 2019
Microsoft .NET Framework 4	=3.0-sp2
Microsoft .NET Framework 4	=2.0-sp2
Visual Studio Community 2022	=17.2	fix available externally
Visual Studio Community 2022	=17.0	fix available externally
Visual Studio Community 2022	=17.6	fix available externally

Remedy

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-29331

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-29331?
CVE-2023-29331 has a severity rating that could lead to unbounded CPU usage due to a Denial of Service vulnerability in .NET applications using X509 certificates.
How do I fix CVE-2023-29331?
To fix CVE-2023-29331, update to the latest versions of affected products such as .NET 7.0 or .NET 6.0 following Microsoft's security guidelines.
Which software versions are affected by CVE-2023-29331?
CVE-2023-29331 affects .NET 6.0 and .NET 7.0, including various versions of Visual Studio 2022.
Can CVE-2023-29331 be exploited remotely?
Yes, CVE-2023-29331 can be exploited remotely when a malicious client presents an X509 certificate to an internet-facing .NET application.
What should developers do to mitigate CVE-2023-29331?
Developers should ensure they are implementing proper validation of client certificates and promptly apply patches or updates from Microsoft.

collector/msrc
agent/type
agent/first-publish-date
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-29331
agent/references
agent/title
agent/remedy
agent/severity
agent/description
collector/msrc-cve
source/Microsoft
agent/software-canonical-lookup
agent/author
agent/weakness
agent/event
collector/github-advisory-latest
source/GitHub
alias/GHSA-555c-2p6r-68mm
collector/github-advisory
agent/trending
agent/source
agent/software-canonical-lookup-request
collector/nvd-api
source/NVD
collector/nvd-cve
collector/nvd-index
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/softwarecombine
agent/tags
vendor/microsoft
canonical/microsoft .net 7.0
canonical/microsoft .net 6.0
package-manager/nuget
canonical/microsoft .net framework
version/microsoft .net framework/3.5
canonical/microsoft powershell
canonical/microsoft .net framework 4
version/microsoft .net framework 4/3.0
version/microsoft .net framework 4/4.6.2
version/microsoft .net framework 4/2.0
version/microsoft .net framework 4/4.7
version/microsoft .net framework 4/4.7.1
version/microsoft .net framework 4/4.7.2
version/microsoft .net framework 4/3.5.1
version/microsoft .net framework 4/4.8
version/microsoft .net framework 4/3.5
version/microsoft .net framework 4/4.8.1
canonical/microsoft windows 10
canonical/microsoft windows server
version/microsoft windows server/r2-sp1
version/microsoft windows server/r2
canonical/microsoft windows server 2016
version/microsoft windows server/sp2
canonical/windows 11
canonical/microsoft windows server 2022
canonical/microsoft windows server 2019
version/microsoft .net framework 4/3.0-sp2
version/microsoft .net framework 4/2.0-sp2
version/microsoft .net framework/6.0.0
version/microsoft .net framework/7.0.0
canonical/visual studio community 2022
version/visual studio community 2022/17.2
version/visual studio community 2022/17.0
version/visual studio community 2022/17.6
version/visual studio community 2022/17.4