Latest .NET 6.0.9 fixes stack overflow denial of service in .NET Core and Visual...

Latest .NET 6.0.9 fixes stack overflow denial of service in .NET Core and Visual Studio

Microsoft today has released .NET September 2022 updates in the form of .NET 6.0.9 and .NET Core 3.1.29. The major highlight of the new release is a security fix for .NET Core and Visual Studio stack overflow Denial of Service (DoS) vulnerability. The security flaw has been assigned the tracking ID "CVE-2022-38013". It has a high severity rating with a Common Vulnerability Scoring System (CVSS) score of 7.5.

The company says:

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A denial of service vulnerability exists in ASP.NET Core 3.1 and .NET 6.0 where a malicious client could cause a stack overflow which may result in a denial of service attack when an attacker sends a customized payload that is parsed during model binding.

Aside from the security fixes, the new releases also feature runtime improvements.

.NET 6.0.9 and .NET Core 3.1.29 are available for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64. In terms of Visual Studio compatibility, you'll need Visual Studio 17.3 or later to use .NET 6.0 on Windows. On macOS, you'll need the latest version of Visual Studio for Mac.

You can find more information in the official blog post.