CVE-2025-36855— EOL .NET 6.0 Runtime Remote Code Execution Vulnerability
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2025-36855
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
EOL .NET 6.0 Runtime Remote Code Execution Vulnerability
Source: NVD (National Vulnerability Database)
Vulnerability Description
A vulnerability ( CVE-2025-21176 https://www.cve.org/CVERecord ) exists in DiaSymReader.dll due to buffer over-read. Per CWE-126: Buffer Over-read https://cwe.mitre.org/data/definitions/126.html , Buffer Over-read is when a product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer. This issue affects EOL ASP.NET 6.0.0 <= 6.0.36 as represented in this CVE, as well as 8.0.0 <= 8.0.11 & <= 9.0.0 as represented in CVE-2025-21176. Additionally, if you've deployed self-contained applications https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. NOTE: This CVE affects only End Of Life (EOL) software components. The vendor, Microsoft, has indicated there will be no future updates nor support provided upon inquiry.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
缓冲区上溢读取
Source: NVD (National Vulnerability Database)
Vulnerability Title
Microsoft .NET 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Microsoft .NET是美国微软(Microsoft)公司的一个致力于敏捷软件开发、快速应用开发、平台无关性和网络透明化的软件框架。 Microsoft .NET存在安全漏洞,该漏洞源于DiaSymReader.dll在处理符号数据时未校验长度,导致越界读取。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2025-36855
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2025-36855
请登录查看更多情报信息。
- https://www.herodevs.com/vulnerability-directory/cve-2025-21176third-party-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2025-36855
Same Patch Batch · Microsoft · 2025-09-08 · 5 CVEs total
| CVE-2025-36854 | 8.1 HIGH | EOL ASP.NET 6.0 Remote Code Execution Vulnerability |
| CVE-2025-36853 | 7.5 HIGH | EOL .NET 6.0 Runtime Remote Code Execution Vulnerability |
| CVE-2022-50238 | 7.4 HIGH | Microsoft Windows Defender Application Control 安全漏洞 |
| CVE-2025-59033 | 7.4 HIGH | Microsoft Windows Defender Application Control 安全漏洞 |
IV. Related Vulnerabilities
Same product: .NET 6.0
- CVE-2025-36854
EOL ASP.NET 6.0 Remote Code Execution Vulnerability - CVE-2025-36853
EOL .NET 6.0 Runtime Remote Code Execution Vulnerability - CVE-2024-35264
.NET and Visual Studio Remote Code Execution Vulnerability - CVE-2024-21404
.NET Denial of Service Vulnerability - CVE-2024-21319
Microsoft Identity Denial of service vulnerability
Same vendor: Microsoft
- CVE-2026-42826
Azure DevOps Information Disclosure Vulnerability - CVE-2026-35428
Azure Cloud Shell Spoofing Vulnerability - CVE-2026-35435
Azure AI Foundry Elevation of Privilege Vulnerability - CVE-2026-34327
Microsoft Partner Center Spoofing Vulnerability - CVE-2026-33844
Azure Managed Instance for Apache Cassandra Remote Code Exec
V. Comments for CVE-2025-36855
No comments yet