CVE-2025-36853 — Heap-based Buffer Overflow in Microsoft NET 6.0

CWE-122 — Heap-based Buffer Overflow CWE-190 — Integer Overflow or Wraparound3 documents3 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 70.06%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft NET 6.0 Microsoft Microsoft.netcore.app.runtime.linux-arm Microsoft Microsoft.netcore.app.runtime.linux-arm64 +10 more

Timeline

PublishedSep 8

Description

A vulnerability (CVE-2025-21172) exists in msdia140.dll due to integer overflow and heap-based overflow. Per CWE-122: Heap-based Buffer Overflow, a heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().‍ Per CWE-190: Integer Overflow or Wraparound, is when a product performs a calculation that can produce an integer overflow or wraparound…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.6 | Impact: 5.9

Affected Packages13 packages

▶CVEListV5microsoft/net_6.06.0.0 — 6.0.36

▶CVEListV5microsoft/microsoft.netcore.app.runtime.osx-x64>=6.0.0 — 6.0.36

▶CVEListV5microsoft/microsoft.netcore.app.runtime.win-arm>=6.0.0 — 6.0.36

▶CVEListV5microsoft/microsoft.netcore.app.runtime.win-x64>=6.0.0 — 6.0.36

▶CVEListV5microsoft/microsoft.netcore.app.runtime.win-x86>=6.0.0 — 6.0.36

🔴Vulnerability Details

GHSA

GHSA-hg2w-qc44-hjcw: A vulnerability (CVE-2025-21172) exists in msdia140↗2025-09-08

▶

CVEList

EOL .NET 6.0 Runtime Remote Code Execution Vulnerability↗2025-09-08

▶