By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

View all Vulnerabilities

CVE-2025-21172

Heap-based Buffer Overflow

Affects

.NET Runtime

>= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.11 <= 9.0.0

.NET

Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

.NET is a free, open-source, cross-platform framework for building modern apps and powerful cloud services. It consists of a runtime and a developer platform made up of tools, programming languages, and libraries for building many different types of applications.

‍

A vulnerability (CVE-2025-21172) exists in msdia140.dll due to integer overflow and heap-based overflow. Exploitation of this vulnerability requires that an attacker convince a user to open a maliciously crafted package file in Visual Studio.

‍

Per CWE-122: Heap-based Buffer Overflow, a heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().

‍

Per CWE-190: Integer Overflow or Wraparound, is when a product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.

‍

This issue affects .NET 6.0.0 <= 6.0.36, 8.0.0 <= 8.0.11, <= 9.0.0.

‍

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

‍

Details

Module Info

Product:
- Any .NET 6.0 application running on .NET 6.0.36 or earlier.
- Any .NET 8.0 application running on .NET 8.0.11 or earlier.
- Any .NET 9.0 application running on .NET 9.0.0 or earlier.
Affected packages:
- Microsoft.NetCore.App.Runtime.linux-arm
- Microsoft.NetCore.App.Runtime.linux-arm64
- Microsoft.NetCore.App.Runtime.linux-musl-arm
- Microsoft.NetCore.App.Runtime.linux-musl-arm64
- Microsoft.NetCore.App.Runtime.linux-musl-x64
- Microsoft.NetCore.App.Runtime.linux-x64
- Microsoft.NetCore.App.Runtime.osx-arm64
- Microsoft.NetCore.App.Runtime.osx-x64
- Microsoft.NetCore.App.Runtime.win-arm
- Microsoft.NetCore.App.Runtime.win-arm64
- Microsoft.NetCore.App.Runtime.win-x64
- Microsoft.NetCore.App.Runtime.win-x86
Affected versions:
- >= 6.0.0 <= 6.0.36
- >= 8.0.0 <= 8.0.11
- <= 9.0.0
GitHub repository: https://github.com/dotnet
Published packages: Download .NET (Linux, macOS, and Windows)
Package manager:
- Nuget
- Windows Installer
- Docker
Fixed in: .NET - Never-Ending Support (NES) | HeroDevs v6.1.0

‍

Vulnerability Info

This High-severity vulnerability is found in msdia140.dll.

‍

Credits

goodbyeselene

‍

Mitigation

.NET 6.x is End-of-Life and will not receive any updates to address this issue. For more information see .NET and .NET Core official support policy.

‍

Users of the affected components should apply one of the following mitigations:

Upgrade affected applications to one of:
- .NET Runtime >= 8.0.12
- .NET Runtime >= 9.0.1
Leverage a commercial support partner like HeroDevs for post-EOL security support.

‍