Microsoft .NET Framework
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Microsoft .NET Framework.
Recent Microsoft .NET Framework Security Advisories
| Advisory | Title | Published |
|---|---|---|
| CVE-2025-55248 | CVE-2025-55248 .NET, .NET Framework, and Visual Studio Information Disclosure Vulnerability | October 14, 2025 |
| CVE-2025-21176 | CVE-2025-21176 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability | January 14, 2025 |
| CVE-2024-43484 | CVE-2024-43484 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability | October 8, 2024 |
| CVE-2024-43483 | CVE-2024-43483 .NET, .NET Framework, and Visual Studio Denial of Service Vulnerability | October 8, 2024 |
| CVE-2024-38081 | CVE-2024-38081 .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability | July 9, 2024 |
| CVE-2024-21409 | .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability | April 9, 2024 |
| CVE-2024-29059 | .NET Framework Information Disclosure Vulnerability | March 22, 2024 |
| CVE-2024-0057 | NET, .NET Framework, and Visual Studio Security Feature Bypass Vulnerability | January 9, 2024 |
| CVE-2024-21312 | .NET Framework Denial of Service Vulnerability | January 9, 2024 |
| CVE-2023-36049 | .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability | November 14, 2023 |
By the Year
In 2026 there have been 0 vulnerabilities in Microsoft .NET Framework. Last year, in 2025 .NET Framework had 1 security vulnerability published. Right now, .NET Framework is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 8.80 |
| 2024 | 1 | 7.30 |
| 2023 | 9 | 7.83 |
| 2022 | 0 | 0.00 |
| 2021 | 0 | 0.00 |
| 2020 | 1 | 4.70 |
| 2019 | 1 | 6.50 |
| 2018 | 8 | 0.00 |
It may take a day or so for new .NET Framework vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Microsoft .NET Framework Security Vulnerabilities
Jan 2025: .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
CVE-2025-21176
8.8 - High
- January 14, 2025
.NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability
Buffer Over-read
Jul 2024: .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
CVE-2024-38081
7.3 - High
- July 09, 2024
.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
insecure temporary file
Microsoft XAML Diagnostics Elevation of Privilege Vulnerability
CVE-2023-36003
7.3 - High
- December 12, 2023
XAML Diagnostics Elevation of Privilege Vulnerability
Nov 2023: .NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
CVE-2023-36049
7.6 - High
- November 14, 2023
.NET, .NET Framework, and Visual Studio Elevation of Privilege Vulnerability
Improper Input Validation
Nov 2023: ASP.NET Security Feature Bypass Vulnerability
CVE-2023-36560
8.8 - High
- November 14, 2023
ASP.NET Security Feature Bypass Vulnerability
Sep 2023: .NET Framework Remote Code Execution Vulnerability
CVE-2023-36788
7.8 - High
- September 12, 2023
.NET Framework Remote Code Execution Vulnerability
Sep 2023: Visual Studio Remote Code Execution Vulnerability
CVE-2023-36792
7.8 - High
- September 12, 2023
Visual Studio Remote Code Execution Vulnerability
Integer Overflow or Wraparound
Sep 2023: Visual Studio Remote Code Execution Vulnerability
CVE-2023-36793
7.8 - High
- September 12, 2023
Visual Studio Remote Code Execution Vulnerability
Heap-based Buffer Overflow
Sep 2023: Visual Studio Remote Code Execution Vulnerability
CVE-2023-36794
7.8 - High
- September 12, 2023
Visual Studio Remote Code Execution Vulnerability
Integer underflow
Sep 2023: Visual Studio Remote Code Execution Vulnerability
CVE-2023-36796
7.8 - High
- September 12, 2023
Visual Studio Remote Code Execution Vulnerability
Integer underflow
.NET DLL Hijacking RCE Vulnerability
CVE-2023-28260
7.8 - High
- April 11, 2023
.NET DLL Hijacking Remote Code Execution Vulnerability
Oct 2020: .NET Framework Information Disclosure Vulnerability
CVE-2020-16937
4.7 - Medium
- October 16, 2020
<p>An information disclosure vulnerability exists when the .NET Framework improperly handles objects in memory. An attacker who successfully exploited the vulnerability could disclose contents of an affected system's memory.</p> <p>To exploit the vulnerability, an authenticated attacker would need to run a specially crafted application.</p> <p>The update addresses the vulnerability by correcting how the .NET Framework handles objects in memory.</p>
GetFile.aspx in Rapid4 RapidFlows Enterprise Application Builder 4.5M.23 (when used with .NET Framework 4.5)
CVE-2019-11397
6.5 - Medium
- May 14, 2019
GetFile.aspx in Rapid4 RapidFlows Enterprise Application Builder 4.5M.23 (when used with .NET Framework 4.5) allows Local File Inclusion via the FileDesc parameter.
Directory traversal
Dec 2018:
CVE-2018-8517
- December 12, 2018
A denial of service vulnerability exists when .NET Framework improperly handles special web requests, aka ".NET Framework Denial Of Service Vulnerability." This affects Microsoft .NET Framework 4.6, Microsoft .NET Framework 3.5, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.
Dec 2018:
CVE-2018-8540
- December 12, 2018
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 4.6, Microsoft .NET Framework 3.5, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 4.7.2, Microsoft .NET Framework 4.6.2.
Sep 2018:
CVE-2018-8421
- September 13, 2018
A remote code execution vulnerability exists when Microsoft .NET Framework processes untrusted input, aka ".NET Framework Remote Code Execution Vulnerability." This affects Microsoft .NET Framework 4.6, Microsoft .NET Framework 3.5, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 3.0, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 4.7.2, Microsoft .NET Framework 2.0.
Aug 2018:
CVE-2018-8360
- August 15, 2018
An information disclosure vulnerability exists in Microsoft .NET Framework that could allow an attacker to access information in multi-tenant environments, aka ".NET Framework Information Disclosure Vulnerability." This affects Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.0, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 4.7.2, Microsoft .NET Framework 2.0, Microsoft .NET Framework 4.6/4.6.1/4.6.2.
Jul 2018:
CVE-2018-8202
- July 11, 2018
An elevation of privilege vulnerability exists in .NET Framework which could allow an attacker to elevate their privilege level, aka ".NET Framework Elevation of Privilege Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.
Jul 2018:
CVE-2018-8260
- July 11, 2018
A Remote Code Execution vulnerability exists in .NET software when the software fails to check the source markup of a file, aka ".NET Framework Remote Code Execution Vulnerability." This affects .NET Framework 4.7.2, Microsoft .NET Framework 4.7.2.
Jul 2018:
CVE-2018-8284
- July 11, 2018
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly, aka ".NET Framework Remote Code Injection Vulnerability." This affects Microsoft .NET Framework 2.0, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.5.2, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.7/4.7.1/4.7.2, Microsoft .NET Framework 4.7.1/4.7.2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.
Jul 2018:
CVE-2018-8356
- July 11, 2018
A security feature bypass vulnerability exists when Microsoft .NET Framework components do not correctly validate certificates, aka ".NET Framework Security Feature Bypass Vulnerability." This affects .NET Framework 4.7.2, Microsoft .NET Framework 3.0, Microsoft .NET Framework 4.6.2/4.7/4.7.1/4.7.2, ASP.NET Core 1.1, Microsoft .NET Framework 4.5.2, ASP.NET Core 2.0, ASP.NET Core 1.0, .NET Core 1.1, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4.6/4.6.1/4.6.2, .NET Core 1.0, .NET Core 2.0, Microsoft .NET Framework 4.6, Microsoft .NET Framework 4.6/4.6.1/4.6.2/4.7/4.7.1/4.7.1/4.7.2, Microsoft .NET Framework 4.7.2.
Microsoft .NET Framework 3.0 SP2, 3.5, 3.5.1, 4, and 4.5; Silverlight 5 before 5.1.20513.0; win32k.sys in the kernel-mode drivers, and GDI+, DirectWrite, and Journal, in Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT; GDI+ in Office 2003 SP3, 2007 SP3, and 2010 SP1; GDI+ in Visual Studio .NET 2003 SP1; and GDI+ in Lync 2010, 2010 Attendee, 2013, and Basic 2013
CVE-2013-3129
- July 10, 2013
Microsoft .NET Framework 3.0 SP2, 3.5, 3.5.1, 4, and 4.5; Silverlight 5 before 5.1.20513.0; win32k.sys in the kernel-mode drivers, and GDI+, DirectWrite, and Journal, in Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT; GDI+ in Office 2003 SP3, 2007 SP3, and 2010 SP1; GDI+ in Visual Studio .NET 2003 SP1; and GDI+ in Lync 2010, 2010 Attendee, 2013, and Basic 2013 allow remote attackers to execute arbitrary code via a crafted TrueType Font (TTF) file, aka "TrueType Font Parsing Vulnerability."
Code Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Microsoft .NET Framework or by Microsoft? Click the Watch button to subscribe.
