Kestrel Server Flaw in .NET 6.0 and 5.0 Allows Remote Denial-of-Service, Microsoft Warns

Microsoft has issued a security advisory for CVE-2022-21986, a Denial-of-Service vulnerability affecting .NET 6.0 and .NET 5.0 applications that use the Kestrel web server. The flaw allows remote attackers to crash or disable applications by sending specially crafted HTTP/2 and HTTP/3 requests. Security researchers are closely monitoring the disclosure as the vulnerability carries no identified mitigating factors, leaving affected deployments directly exposed until patches are applied.

The flaw specifically impacts .NET 6.0 applications running versions 6.0.1 and lower, as well as .NET 5.0 applications running versions 5.0.13 and lower. Kestrel, Microsoft's default cross-platform web server for ASP.NET Core, becomes the attack vector when processing the targeted HTTP protocol requests. Microsoft's advisory explicitly states that no workarounds or compensating controls have been identified, meaning the only remediation path is updating to patched versions of the runtime.

The disclosure places immediate pressure on organizations running .NET-based web services, particularly those serving high-traffic endpoints or critical infrastructure. Attackers aware of unpatched deployments could rapidly exploit the flaw to disrupt services without authentication. Microsoft has published the official announcement through its .NET announcements repository and is urging developers to update affected applications as a priority. The absence of mitigation options means delayed patching directly correlates with elevated exposure to service disruption campaigns or targeted attacks.