CVE-2025-21176

Buffer Over-read
Affects
.NET Runtime
>= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.11 <= 9.0.0
in
.NET
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

Overview

.NET is a free, open-source, cross-platform framework for building modern apps and powerful cloud services. It consists of a runtime and a developer platform made up of tools, programming languages, and libraries for building many different types of applications. 

A vulnerability (CVE-2025-21176) exists in DiaSymReader.dll due to buffer over-read. Insufficient input validation in Visual Studio allows remote code execution via crafted files. An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio. 

Per CWE-126: Buffer Over-read, Buffer Over-read is when a product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

This issue affects .NET 6.0.0 <= 6.0.36, 8.0.0 <= 8.0.11, <= 9.0.0. 

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

Details

Module Info

  • Product: 
    • Any .NET 6.0 application running on .NET 6.0.36 or earlier.
    • Any .NET 8.0 application running on .NET 8.0.11 or earlier.
    • Any .NET 9.0 application running on .NET 9.0.0 or earlier.
  • Affected packages: 
    • Microsoft.NetCore.App.Runtime.linux-arm
    • Microsoft.NetCore.App.Runtime.linux-arm64
    • Microsoft.NetCore.App.Runtime.linux-musl-arm
    • Microsoft.NetCore.App.Runtime.linux-musl-arm64
    • Microsoft.NetCore.App.Runtime.linux-musl-x64
    • Microsoft.NetCore.App.Runtime.linux-x64
    • Microsoft.NetCore.App.Runtime.osx-arm64
    • Microsoft.NetCore.App.Runtime.osx-x64
    • Microsoft.NetCore.App.Runtime.win-arm
    • Microsoft.NetCore.App.Runtime.win-arm64
    • Microsoft.NetCore.App.Runtime.win-x64
    • Microsoft.NetCore.App.Runtime.win-x86
  • Affected versions: 
    • >= 6.0.0 <= 6.0.36
    • >= 8.0.0 <= 8.0.11
    • <= 9.0.0
  • GitHub repository: https://github.com/dotnet  
  • Published packages: Download .NET (Linux, macOS, and Windows)
  • Package manager: 
    • Nuget
    • Windows Installer
    • Docker
  • Fixed in: .NET - Never-Ending Support (NES) | HeroDevs v6.1.0

Vulnerability Info

This High-severity vulnerability is found in DiaSymReader.dll. Insufficient input validation in Visual Studio allows remote code execution via crafted files. Exploitation of this vulnerability requires that an attacker convinces a user to open a maliciously crafted package file in Visual Studio.

Credits

  • goodbyeselene

Mitigation

.NET 6.x is End-of-Life and will not receive any updates to address this issue. For more information see .NET and .NET Core official support policy.

Users of the affected components should apply one of the following mitigations:

  • Upgrade affected applications to one of:
    • .NET Runtime >= 8.0.12
    • .NET Runtime >= 9.0.1
  • Leverage a commercial support partner like HeroDevs for post-EOL security support.

Vulnerability Details
ID
CVE-2025-21176
PROJECT Affected
.NET Runtime
Versions Affected
>= 6.0.0 <= 6.0.36 >= 8.0.0 <= 8.0.11 <= 9.0.0
Published date
April 4, 2025
≈ Fix date
April 4, 2025
Fixed in
Severity
High
Category
Buffer Over-read
Sign up for the latest vulnerability alerts fixed in
NES for .NET
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.