{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-36855","assignerOrgId":"36c7be3b-2937-45df-85ea-ca7133ea542c","state":"PUBLISHED","assignerShortName":"HeroDevs","dateReserved":"2025-04-15T23:50:31.198Z","datePublished":"2025-09-08T13:57:28.386Z","dateUpdated":"2025-09-08T14:06:24.393Z"},"containers":{"cna":{"affected":[{"platforms":["Unknown"],"product":".NET 6.0","vendor":"Microsoft","versions":[{"lessThan":"6.0.36","status":"affected","version":"6.0.0","versionType":"custom"}]}],"datePublic":"2025-01-14T08:00:00.000Z","descriptions":[{"lang":"en-US","supportingMedia":[{"base64":false,"type":"text/html","value":"

A vulnerability (CVE-2025-21176) exists in DiaSymReader.dll due to buffer over-read.

Per CWE-126: Buffer Over-read, Buffer Over-read is when a product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.

This issue affects EOL ASP.NET 6.0.0 <= 6.0.36 as represented in this CVE, as well as 8.0.0 <= 8.0.11 & <= 9.0.0 as represented in CVE-2025-21176.

Additionally, if you've deployed self-contained applications targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.

NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.

"}],"value":"A vulnerability ( CVE-2025-21176 https://www.cve.org/CVERecord ) exists in DiaSymReader.dll due to buffer over-read.\n\n Per CWE-126: Buffer Over-read https://cwe.mitre.org/data/definitions/126.html , Buffer Over-read is when a product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.\n\n This issue affects EOL ASP.NET 6.0.0 <= 6.0.36 as represented in this CVE, as well as 8.0.0 <= 8.0.11 & <= 9.0.0 as represented in CVE-2025-21176.\n\n \n\n Additionally, if you've deployed self-contained applications https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd  targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed.\n\n NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"HIGH","baseScore":8.8,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"REQUIRED","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-126","description":"CWE-126: Buffer Over-read","lang":"en-US","type":"CWE"}]}],"providerMetadata":{"orgId":"36c7be3b-2937-45df-85ea-ca7133ea542c","shortName":"HeroDevs","dateUpdated":"2025-09-08T13:57:28.386Z"},"references":[{"name":".NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability","tags":["third-party-advisory"],"url":"https://www.herodevs.com/vulnerability-directory/cve-2025-21176"},{"name":".NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability","tags":["vendor-advisory"],"url":"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21176"}],"title":"EOL .NET 6.0 Runtime Remote Code Execution Vulnerability"},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-09-08T14:06:12.291326Z","id":"CVE-2025-36855","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-09-08T14:06:24.393Z"}}]}}