#VU102784 Out-of-bounds read in Microsoft products - CVE-2025-21176
Vulnerability identifier: #VU102784
Vulnerability risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID:
CWE-ID:
CWE-125
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Visual Studio
Universal components / Libraries /
Software for developers
Microsoft .NET Framework
Server applications /
Frameworks for developing and running applications
.NET
Other software /
Other software solutions
Vendor: Microsoft
Description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to a boundary condition in .NET, .NET Framework and Visual Studio. A remote attacker can create a specially crafted file, trick the victim into opening it, trigger an out-of-bounds read error and read contents of memory on the system, leading to arbitrary code execution.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Visual Studio: 16.0, 16.1 - 16.10, 16.2, 16.3, 16.4, 16.5, 16.6, 16.7, 16.8, 16.9, 2017 version 15.0, 2017 version 15.1, 2017 version 15.2, 2017 version 15.3, 2017 version 15.4, 2017 version 15.5, 2017 version 15.6, 2017 version 15.7, 2017 version 15.8, 2017 version 15.9, 2019 version 16.11, 2022 version 17.6, 2022 version 17.8, 2022 version 17.10, 2022 version 17.12
Microsoft .NET Framework: 3.5, 4.6 - 4.6.2, 4.7 - 4.7.2, 4.8 - 4.8.1
.NET: 8.0.0, 9.0
External links
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2025-21176
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
