CVE-2024-38095
Denial of Service vulnerability in Microsoft.NetCore.App.Runtime.linux-arm (NuGet)

Denial of Service No known exploit

What is CVE-2024-38095 About?

This Denial of Service vulnerability in System.Formats.Asn1 within .NET 6.0 and 8.0 causes excessive CPU consumption when parsing malicious X.509 certificates. This leads to degraded performance or unresponsiveness across all platforms. Remote and unauthenticated exploitation is possible.

Affected Software

  • Microsoft.NetCore.App.Runtime.linux-arm
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • Microsoft.NetCore.App.Runtime.linux-arm64
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • Microsoft.NetCore.App.Runtime.linux-musl-arm
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • Microsoft.NetCore.App.Runtime.linux-musl-arm64
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • Microsoft.NetCore.App.Runtime.linux-musl-x64
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • Microsoft.NetCore.App.Runtime.linux-x64
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • Microsoft.NetCore.App.Runtime.osx-arm64
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • Microsoft.NetCore.App.Runtime.osx-x64
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • Microsoft.NetCore.App.Runtime.win-arm
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • Microsoft.NetCore.App.Runtime.win-arm64
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • Microsoft.NetCore.App.Runtime.win-x64
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • Microsoft.NetCore.App.Runtime.win-x86
    • >6.0.0, <6.0.32
    • >8.0.0, <8.0.7
  • System.Formats.Asn1
    • >5.0.0-preview.7.20364.11, <6.0.1
    • >7.0.0-preview.1.22076.8, <8.0.1

Technical Details

The vulnerability resides in the System.Formats.Asn1 component of .NET 6.0 and 8.0. Specifically, when this component parses an X.509 certificate or a collection of certificates, a maliciously crafted certificate can trigger an inefficient parsing routine or an excessive loop. This leads to disproportionately high CPU utilization across all platforms, effectively causing a Denial of Service. The parsing mechanism fails to robustly handle malformed or overly complex certificate structures, making the system vulnerable to resource exhaustion.

What is the Impact of CVE-2024-38095?

Successful exploitation may allow attackers to cause excessive CPU consumption, leading to degraded performance, increased latency, or complete denial of service for the affected application and potentially the host system.

What is the Exploitability of CVE-2024-38095?

Exploitation complexity is low to moderate. An attacker needs to craft a malicious X.509 certificate and provide it as input to an application that processes certificates using the vulnerable System.Formats.Asn1 component. No authentication is required, making it a remote attack vector. The vulnerability can affect any .NET 6.0 or 8.0 application that handles X.509 certificates, such as TLS/SSL handshake mechanisms or certificate validation services. The ability to intercept or supply certificates to target applications increases the likelihood of exploitation.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-38095?

Available Upgrade Options

  • Microsoft.NetCore.App.Runtime.linux-arm
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.linux-arm
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7
  • Microsoft.NetCore.App.Runtime.linux-musl-arm
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.linux-musl-arm
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7
  • Microsoft.NetCore.App.Runtime.linux-musl-arm64
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.linux-musl-arm64
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7
  • Microsoft.NetCore.App.Runtime.linux-x64
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.linux-x64
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7
  • Microsoft.NetCore.App.Runtime.linux-musl-x64
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.linux-musl-x64
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7
  • Microsoft.NetCore.App.Runtime.osx-x64
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.osx-x64
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7
  • Microsoft.NetCore.App.Runtime.win-arm
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.win-arm
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7
  • Microsoft.NetCore.App.Runtime.win-arm64
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.win-arm64
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7
  • Microsoft.NetCore.App.Runtime.osx-arm64
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.osx-arm64
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7
  • Microsoft.NetCore.App.Runtime.win-x86
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.win-x86
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7
  • System.Formats.Asn1
    • >5.0.0-preview.7.20364.11, <6.0.1 → Upgrade to 6.0.1
  • System.Formats.Asn1
    • >7.0.0-preview.1.22076.8, <8.0.1 → Upgrade to 8.0.1
  • Microsoft.NetCore.App.Runtime.win-x64
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.win-x64
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7
  • Microsoft.NetCore.App.Runtime.linux-arm64
    • >6.0.0, <6.0.32 → Upgrade to 6.0.32
  • Microsoft.NetCore.App.Runtime.linux-arm64
    • >8.0.0, <8.0.7 → Upgrade to 8.0.7

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-38095?

Similar Vulnerabilities: CVE-2024-30105 , CVE-2025-27513 , GHSA-8rfx-6mr3-5jh3 , CVE-2023-28491 , CVE-2022-26134

All Rights reserved 2025
Privacy Policy