NES for .NET 6.0.38
Release Notes for NES for .NET 6.0.38
NES for .NET 6.0.38 - June 4, 2025
- Version:
6.0.38 - Security fixes for the following CVEs:
- CVE-2025-7326 A vulnerability exists in applications using ASP.NET and the Microsoft.AspNetCore.Identity Nuget Package when calling
RefreshSignInAsyncwith an improperly authenticated user parameter that could allow an attacker to sign into another user's account, resulting in Elevation of Privilege. - CVE-2025-24070 A vulnerability exists in applications using ASP.NET and the Microsoft.AspNetCore.Identity Nuget Package when calling
RefreshSignInAsyncwith an improperly authenticated user parameter that could allow an attacker to sign into another user's account, resulting in Elevation of Privilege. - CVE-2025-21176 A vulnerability exists in
DiaSymReader.dlldue to buffer over-read. Insufficient input validation in Visual Studio allows remote code execution via crafted files. An attacker could exploit this vulnerability by loading a maliciously crafted file in Visual Studio. - CVE-2025-21173 A vulnerability exists in the .NET SDK as a result of insecure temporary file usage on Linux that allows local system privilege escalation by attackers.
- CVE-2025-21172 A vulnerability exists in
msdia140.dlldue to integer overflow and heap-based overflow. Exploitation of this vulnerability requires that an attacker convince a user to open a maliciously crafted package file in Visual Studio. - CVE-2024-38229 A vulnerability exists in ASP.NET when closing an HTTP/3 stream while application code is writing to the response body, a race condition may lead to use-after-free, resulting in Remote Code Execution.
- CVE-2024-35264 A vulnerability exists in ASP.NET Core where Data Corruption in Kestrel HTTP/3 can result in remote code execution.
- CVE-2025-7326 A vulnerability exists in applications using ASP.NET and the Microsoft.AspNetCore.Identity Nuget Package when calling