BIT-dotnet-sdk-2023-29331: Denial of Service vulnerability in Microsoft.Windows.Compatibility (NuGet)

What is BIT-dotnet-sdk-2023-29331 About?

This is a Denial of Service vulnerability in .NET 6.0 and 7.0 applications when processing X.509 certificates. Successful exploitation can lead to a denial of service, making the affected application unavailable. Exploitation is likely of moderate difficulty, requiring specially crafted input.

Affected Software

Microsoft.Windows.Compatibility
- >6.0.0, <6.0.6
- >7.0.0, <7.0.3
System.Security.Cryptography.Pkcs
- >6.0.0, <6.0.3
- >7.0.0, <7.0.2
Microsoft.NETCore.App.Runtime.linux-arm
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18
Microsoft.NETCore.App.Runtime.linux-arm64
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18
Microsoft.NETCore.App.Runtime.linux-musl-arm
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18
Microsoft.NETCore.App.Runtime.linux-musl-arm64
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18
Microsoft.NETCore.App.Runtime.linux-musl-x64
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18
Microsoft.NETCore.App.Runtime.linux-x64
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18
Microsoft.NETCore.App.Runtime.osx-arm64
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18
Microsoft.NETCore.App.Runtime.osx-x64
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18
Microsoft.NETCore.App.Runtime.win-arm
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18
Microsoft.NETCore.App.Runtime.win-arm64
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18
Microsoft.NETCore.App.Runtime.win-x64
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18
Microsoft.NETCore.App.Runtime.win-x86
- >7.0.0, <7.0.7
- >6.0.0, <6.0.18

Technical Details

The vulnerability exists within the .NET framework's handling of X.509 certificates. When a vulnerable .NET application (running on .NET 7.0.5 or earlier, or .NET 6.0.16 or earlier) attempts to process a specially malformed or excessively complex X.509 certificate, it can trigger an error condition or resource exhaustion. This processing flaw prevents the application from responding to legitimate requests, leading to a Denial of Service. The attack vector involves submitting such a crafted X.509 certificate to an application that processes them.

What is the Impact of BIT-dotnet-sdk-2023-29331?

Successful exploitation may allow attackers to cause the affected application to become unresponsive or crash, leading to a temporary unavailability of services.

What is the Exploitability of BIT-dotnet-sdk-2023-29331?

Exploitation of this vulnerability would typically involve crafting a malicious X.509 certificate and having the target .NET application (versions 6.0.16 or earlier, or 7.0.5 or earlier) attempt to process it. The complexity level is moderate, as it requires knowledge of X.509 certificate structures and the specific parsing weaknesses in .NET. No authentication or privileged access is likely required, as the vulnerability is triggered by input processing. This can be exploited remotely if the application processes external X.509 certificates. Special conditions include the application being configured to handle X.509 certificates and running on vulnerable .NET versions. Risk factors include applications that frequently process untrusted X.509 certificates from external sources.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for BIT-dotnet-sdk-2023-29331?

Available Upgrade Options

Microsoft.NETCore.App.Runtime.win-x86
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.win-x86
- >7.0.0, <7.0.7 → Upgrade to 7.0.7
Microsoft.NETCore.App.Runtime.osx-arm64
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.osx-arm64
- >7.0.0, <7.0.7 → Upgrade to 7.0.7
Microsoft.NETCore.App.Runtime.win-x64
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.win-x64
- >7.0.0, <7.0.7 → Upgrade to 7.0.7
Microsoft.NETCore.App.Runtime.win-arm
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.win-arm
- >7.0.0, <7.0.7 → Upgrade to 7.0.7
Microsoft.NETCore.App.Runtime.linux-arm
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.linux-arm
- >7.0.0, <7.0.7 → Upgrade to 7.0.7
Microsoft.Windows.Compatibility
- >6.0.0, <6.0.6 → Upgrade to 6.0.6
Microsoft.Windows.Compatibility
- >7.0.0, <7.0.3 → Upgrade to 7.0.3
Microsoft.NETCore.App.Runtime.linux-musl-x64
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.linux-musl-x64
- >7.0.0, <7.0.7 → Upgrade to 7.0.7
Microsoft.NETCore.App.Runtime.linux-arm64
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.linux-arm64
- >7.0.0, <7.0.7 → Upgrade to 7.0.7
System.Security.Cryptography.Pkcs
- >6.0.0, <6.0.3 → Upgrade to 6.0.3
System.Security.Cryptography.Pkcs
- >7.0.0, <7.0.2 → Upgrade to 7.0.2
Microsoft.NETCore.App.Runtime.osx-x64
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.osx-x64
- >7.0.0, <7.0.7 → Upgrade to 7.0.7
Microsoft.NETCore.App.Runtime.linux-musl-arm64
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.linux-musl-arm64
- >7.0.0, <7.0.7 → Upgrade to 7.0.7
Microsoft.NETCore.App.Runtime.win-arm64
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.win-arm64
- >7.0.0, <7.0.7 → Upgrade to 7.0.7
Microsoft.NETCore.App.Runtime.linux-x64
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.linux-x64
- >7.0.0, <7.0.7 → Upgrade to 7.0.7
Microsoft.NETCore.App.Runtime.linux-musl-arm
- >6.0.0, <6.0.18 → Upgrade to 6.0.18
Microsoft.NETCore.App.Runtime.linux-musl-arm
- >7.0.0, <7.0.7 → Upgrade to 7.0.7

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to BIT-dotnet-sdk-2023-29331?

Similar Vulnerabilities: CVE-2024-43485 , CVE-2025-27513 , CVE-2024-21907 , CVE-2023-24936 , CVE-2022-30190

BIT-dotnet-sdk-2023-29331 Denial of Service vulnerability in Microsoft.Windows.Compatibility (NuGet)