Home › Vendors › Microsoft › .netMicrosoft .net — known CVE vulnerabilities Every CVE whose affected-product data names Microsoft .net, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (91) CVE-2024-43498 — CVSS 9.8 (critical) : .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2024-0057 — CVSS 9.1 (critical) : NET, .NET Framework, and Visual Studio Security Feature Bypass VulnerabilityCVE-2025-21176 — CVSS 8.8 (high) : .NET, .NET Framework, and Visual Studio Remote Code Execution VulnerabilityCVE-2024-0056 — CVSS 8.7 (high) : Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data Provider Security Feature Bypass VulnerabilityCVE-2021-24112 — CVSS 8.1 (high) : .NET Core Remote Code Execution VulnerabilityCVE-2024-35264 — CVSS 8.1 (high) : .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2021-26701 — CVSS 8.1 (high) : .NET Core Remote Code Execution VulnerabilityCVE-2023-33127 — CVSS 8.1 (high) : .NET and Visual Studio Elevation of Privilege VulnerabilityCVE-2023-33170 — CVSS 8.1 (high) : ASP.NET and Visual Studio Security Feature Bypass VulnerabilityCVE-2024-38229 — CVSS 8.1 (high) : .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2025-26646 — CVSS 8.0 (high) : External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform…CVE-2023-24895 — CVSS 7.8 (high) : .NET, .NET Framework, and Visual Studio Remote Code Execution VulnerabilityCVE-2023-24897 — CVSS 7.8 (high) : .NET, .NET Framework, and Visual Studio Remote Code Execution VulnerabilityCVE-2023-28260 — CVSS 7.8 (high) : .NET DLL Hijacking Remote Code Execution VulnerabilityCVE-2026-26131 — CVSS 7.8 (high) : Incorrect default permissions in .NET allows an authorized attacker to elevate privileges locally.CVE-2023-36796 — CVSS 7.8 (high) : Visual Studio Remote Code Execution VulnerabilityCVE-2023-36794 — CVSS 7.8 (high) : Visual Studio Remote Code Execution VulnerabilityCVE-2023-36793 — CVSS 7.8 (high) : Visual Studio Remote Code Execution VulnerabilityCVE-2023-36792 — CVSS 7.8 (high) : Visual Studio Remote Code Execution VulnerabilityCVE-2023-35390 — CVSS 7.8 (high) : .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2026-45490 — CVSS 7.8 (high) : Improper authorization in .NET allows an authorized attacker to elevate privileges locally.CVE-2022-41032 — CVSS 7.8 (high) : NuGet Client Elevation of Privilege VulnerabilityCVE-2023-21808 — CVSS 7.8 (high) : .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2023-36049 — CVSS 7.6 (high) : .NET, .NET Framework, and Visual Studio Elevation of Privilege VulnerabilityCVE-2026-45591 — CVSS 7.5 (high) : Uncontrolled resource consumption in ASP.NET Core allows an unauthorized attacker to deny service over a network.CVE-2021-26423 — CVSS 7.5 (high) : .NET Core and Visual Studio Denial of Service VulnerabilityCVE-2022-21986 — CVSS 7.5 (high) : .NET Denial of Service VulnerabilityCVE-2022-23267 — CVSS 7.5 (high) : .NET and Visual Studio Denial of Service VulnerabilityCVE-2022-24464 — CVSS 7.5 (high) : .NET and Visual Studio Denial of Service VulnerabilityCVE-2022-29117 — CVSS 7.5 (high) : .NET and Visual Studio Denial of Service VulnerabilityCVE-2022-29145 — CVSS 7.5 (high) : .NET and Visual Studio Denial of Service VulnerabilityCVE-2022-38013 — CVSS 7.5 (high) : .NET Core and Visual Studio Denial of Service VulnerabilityCVE-2023-21538 — CVSS 7.5 (high) : .NET Denial of Service VulnerabilityCVE-2023-24936 — CVSS 7.5 (high) : .NET, .NET Framework, and Visual Studio Elevation of Privilege VulnerabilityCVE-2023-29331 — CVSS 7.5 (high) : .NET, .NET Framework, and Visual Studio Denial of Service VulnerabilityCVE-2023-36435 — CVSS 7.5 (high) : Microsoft QUIC Denial of Service VulnerabilityCVE-2023-38171 — CVSS 7.5 (high) : Microsoft QUIC Denial of Service VulnerabilityCVE-2023-38178 — CVSS 7.5 (high) : .NET Core and Visual Studio Denial of Service VulnerabilityCVE-2023-38180 — CVSS 7.5 (high) — actively exploited : .NET and Visual Studio Denial of Service VulnerabilityCVE-2023-44487 — CVSS 7.5 (high) — actively exploited : The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly…CVE-2024-20672 — CVSS 7.5 (high) : .NET Denial of Service VulnerabilityCVE-2024-21392 — CVSS 7.5 (high) : .NET and Visual Studio Denial of Service VulnerabilityCVE-2024-26190 — CVSS 7.5 (high) : Microsoft QUIC Denial of Service VulnerabilityCVE-2024-30105 — CVSS 7.5 (high) : .NET and Visual Studio Denial of Service VulnerabilityCVE-2024-38095 — CVSS 7.5 (high) : .NET and Visual Studio Denial of Service VulnerabilityCVE-2024-38168 — CVSS 7.5 (high) : .NET and Visual Studio Denial of Service VulnerabilityCVE-2024-43483 — CVSS 7.5 (high) : .NET, .NET Framework, and Visual Studio Denial of Service VulnerabilityCVE-2024-43484 — CVSS 7.5 (high) : .NET, .NET Framework, and Visual Studio Denial of Service VulnerabilityCVE-2024-43485 — CVSS 7.5 (high) : .NET and Visual Studio Denial of Service VulnerabilityCVE-2024-43499 — CVSS 7.5 (high) : .NET and Visual Studio Denial of Service VulnerabilityCVE-2025-21171 — CVSS 7.5 (high) : .NET Remote Code Execution VulnerabilityCVE-2025-21172 — CVSS 7.5 (high) : .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2025-30399 — CVSS 7.5 (high) : Untrusted search path in .NET and Visual Studio allows an unauthorized attacker to execute code over a network.CVE-2026-21218 — CVSS 7.5 (high) : Improper handling of missing special element in .NET allows an unauthorized attacker to perform spoofing over a network.CVE-2026-25667 — CVSS 7.5 (high) : ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU…CVE-2026-26127 — CVSS 7.5 (high) : Out-of-bounds read in .NET allows an unauthorized attacker to deny service over a network.CVE-2026-26171 — CVSS 7.5 (high) : Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.CVE-2026-32178 — CVSS 7.5 (high) : Improper neutralization of special elements in .NET allows an unauthorized attacker to perform spoofing over a network.CVE-2026-32203 — CVSS 7.5 (high) : Stack-based buffer overflow in .NET and Visual Studio allows an unauthorized attacker to deny service over a network.CVE-2026-33116 — CVSS 7.5 (high) : Loop with unreachable exit condition ('infinite loop') in .NET, .NET Framework, Visual Studio allows an unauthorized attacker to deny…CVE-2026-42899 — CVSS 7.5 (high) : Loop with unreachable exit condition ('infinite loop') in ASP.NET Core allows an unauthorized attacker to deny service over a network.CVE-2020-1108 — CVSS 7.5 (high) : A denial of service vulnerability exists when .NET Core or .NET Framework improperly handles web requests, aka '.NET Core & .NET Framework…CVE-2024-21409 — CVSS 7.3 (high) : .NET, .NET Framework, and Visual Studio Remote Code Execution VulnerabilityCVE-2026-32177 — CVSS 7.3 (high) : Heap-based buffer overflow in .NET allows an unauthorized attacker to elevate privileges locally.CVE-2023-33135 — CVSS 7.3 (high) : .NET and Visual Studio Elevation of Privilege VulnerabilityCVE-2023-33128 — CVSS 7.3 (high) : .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2023-33126 — CVSS 7.3 (high) : .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2026-35433 — CVSS 7.3 (high) : Improper input validation in .NET allows an unauthorized attacker to elevate privileges locally.CVE-2024-38081 — CVSS 7.3 (high) : .NET, .NET Framework, and Visual Studio Elevation of Privilege VulnerabilityCVE-2021-31204 — CVSS 7.3 (high) : .NET and Visual Studio Elevation of Privilege VulnerabilityCVE-2025-21173 — CVSS 7.3 (high) : .NET Elevation of Privilege VulnerabilityCVE-2025-55247 — CVSS 7.3 (high) : Improper link resolution before file access ('link following') in .NET allows an authorized attacker to elevate privileges locally.CVE-2024-21319 — CVSS 6.8 (medium) : Microsoft Identity Denial of service vulnerabilityCVE-2021-1721 — CVSS 6.5 (medium) : .NET Core and Visual Studio Denial of Service VulnerabilityCVE-2023-36799 — CVSS 6.5 (medium) : .NET Core and Visual Studio Denial of Service VulnerabilityCVE-2024-38167 — CVSS 6.5 (medium) : .NET and Visual Studio Information Disclosure VulnerabilityCVE-2023-32032 — CVSS 6.5 (medium) : .NET and Visual Studio Elevation of Privilege VulnerabilityCVE-2022-24512 — CVSS 6.3 (medium) : .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2024-30045 — CVSS 6.3 (medium) : .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2026-45491 — CVSS 6.2 (medium) : Improper link resolution before file access ('link following') in .NET allows an unauthorized attacker to perform tampering locally.CVE-2023-36558 — CVSS 6.2 (medium) : ASP.NET Core Security Feature Bypass VulnerabilityCVE-2023-35391 — CVSS 6.2 (medium) : ASP.NET Core SignalR and Visual Studio Information Disclosure VulnerabilityCVE-2022-34716 — CVSS 5.9 (medium) : .NET Spoofing VulnerabilityCVE-2021-31957 — CVSS 5.9 (medium) : ASP.NET Core Denial of Service VulnerabilityCVE-2024-30046 — CVSS 5.9 (medium) : Visual Studio Denial of Service VulnerabilityCVE-2021-41355 — CVSS 5.7 (medium) : .NET Core and Visual Studio Information Disclosure VulnerabilityCVE-2022-30184 — CVSS 5.5 (medium) : .NET and Visual Studio Information Disclosure VulnerabilityCVE-2020-8927 — CVSS 5.3 (medium) : A buffer overflow exists in the Brotli library versions prior to 1.0.8 where an attacker controlling the input length of a "one-shot"…CVE-2021-34485 — CVSS 5.0 (medium) : .NET Core and Visual Studio Information Disclosure VulnerabilityCVE-2025-55248 — CVSS 4.8 (medium) : Inadequate encryption strength in .NET, .NET Framework, Visual Studio allows an authorized attacker to disclose information over a network.CVE-2026-32175 — CVSS 4.3 (medium) : A tampering vulnerability exists when .NET Core improperly handles specially crafted files. An attacker who successfully exploited this…