7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-26423

GHSA ID

GHSA-rh58-r7jh-xhx3

EPSS Score

0.8256%

CWE

Published

10/25/2022

Updated

1/30/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-26423

CVE-2021-26423:
.NET Core Elevation of Privilege Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A denial of service vulnerability exists in .NET 5.0, .NET Core 3.1 and .NET Core 2.1 where .NET (Core) server applications providing WebSocket endpoints could be tricked into endlessly looping while trying to read a single WebSocket frame.

Patches

If you're using .NET 5.0, you should download and install Runtime 5.0.9 or SDK 5.0.206 (for Visual Studio 2019 v16.8) or SDK 5.0.303 (for Visual Studio 2019 V16.10) from https://dotnet.microsoft.com/download/dotnet-core/5.0.
If you're using .NET Core 3.1, you should download and install Runtime 3.1.18 or SDK 3.1.118 (for Visual Studio 2019 v16.4) or 3.1.412 (for Visual Studio 2019 v16.7 or later) from https://dotnet.microsoft.com/download/dotnet-core/3.1.
If you're using .NET Core 2.1, you should download and install Runtime 2.1.29 or SDK 2.1.525 (for Visual Studio 2019 v15.9) or 2.1.817 from https://dotnet.microsoft.com/download/dotnet-core/2.1.

Other Details

Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/194
An Issue for this can be found at https://github.com/dotnet/runtime/issues/57175
MSRC details for this can be found at https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26423

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-26423

GHSA ID

GHSA-rh58-r7jh-xhx3

EPSS Score

0.8256%

CWE

Published

10/25/2022

Updated

1/30/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
Microsoft.NETCore.App.Runtime.win-x86	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.win-x86	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.win-x64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.win-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.win-arm64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.win-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.win-arm	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.win-arm	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.osx-x64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.osx-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.osx-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.osx-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.linux-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.osx-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.LLVM.AOT.linux-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.linux-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.linux-musl-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.linux-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.Mono.linux-arm	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.linux-x64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.linux-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.linux-musl-x64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.linux-musl-x64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.linux-musl-arm64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.linux-musl-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.linux-musl-arm	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.rhel.6-x64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.linux-arm64	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.linux-arm64	nuget	>= 5.0.0, < 5.0.9	5.0.9
Microsoft.NETCore.App.Runtime.linux-arm	nuget	>= 3.1.0, < 3.1.18	3.1.18
Microsoft.NETCore.App.Runtime.linux-arm	nuget	>= 5.0.0, < 5.0.9	5.0.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability centers on WebSocket frame processing leading to infinite loops. Analysis of .NET Core's WebSocket implementation shows:

ReceiveAsyncPrivate is the primary frame processing method handling payload parsing
The vulnerability description matches scenarios where payload length validation fails
Historical fixes for similar WebSocket DoS issues in .NET Core target these methods
Microsoft's security bulletin specifically mentions WebSocket endpoint handling as the attack vector While exact patch diffs aren't provided, the combination of vulnerability characteristics and .NET Core architecture strongly implicates these core WebSocket processing functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Mi*roso*t is r*l**sin* t*is s**urity **visory to provi** in*orm*tion **out * vuln*r**ility in .N*T *.* *n* .N*T *or* *.*. T*is **visory *lso provi**s *ui**n** on w**t **v*lop*rs **n *o to up**t* t**ir *ppli**tions to r*mov* t*is vuln*r**ility. * **n

Reasoning

T** vuln*r**ility **nt*rs on W**So*k*t *r*m* pro**ssin* l***in* to in*init* loops. *n*lysis o* .N*T *or*'s W**So*k*t impl*m*nt*tion s*ows: *. R***iv**syn*Priv*t* is t** prim*ry *r*m* pro**ssin* m*t*o* **n*lin* p*ylo** p*rsin* *. T** vuln*r**ility **s

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-26423: .NET Core Elevation of Privilege Vulnerability

Patches

Other Details

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-26423:
.NET Core Elevation of Privilege Vulnerability

Vulnerability Intelligence
Miggo AI