.NET and Visual Studio Denial of Service Vulnerability
CVE-2023-38180
Score elevated to 9.0 because this CVE is listed on the CISA Known Exploited Vulnerabilities catalog (added 2023-08-09), indicating real-world exploitation has been confirmed by US federal agencies. NVD baseline CVSS 7.5 retained for reference. Confidence: HIGH.
- Actively exploited in the wild (CISA-KEV)
A fix is available — apply it.
- CVSS v3
- 7.5
- EG Score
- 9.0(high)
- EPSS
- 96.4%
- KEV
- ⚠ Exploited
Published
August 8, 2023
Last Modified
October 28, 2025
Advisory Details (4)
Auto-updated Jun 4, 2026Known Exploited Vulnerabilities Catalog | CISA
Known Exploited Vulnerabilities Catalog | CISA. Listed in CISA Known Exploited Vulnerabilities catalog.
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-38180Security Update Guide - Microsoft Security Response Center
Security Update Guide - Microsoft Security Response Center. Patch available via Microsoft Security Update
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-38180[SECURITY] Fedora 37 Update: dotnet7.0-7.0.110-1.fc37 - package-announce - Fedora mailing-lists
https://lists.fedoraproject.org/archives/list/[email protected]/message/NWVZFKTLNMNKPZ755EMRYIA6GHFOWGKY/[SECURITY] Fedora 38 Update: dotnet7.0-7.0.110-1.fc38 - package-announce - Fedora mailing-lists
https://lists.fedoraproject.org/archives/list/[email protected]/message/CL2L4WE5QRT7WEXANYXSKSU43APC5N2V/Patch Availability(9)
| Vendor / Ecosystem | Fixed in / Patch | Released | Source |
|---|---|---|---|
| ubuntu | netstandard-targeting-pack-2.1-7.0 (7.0.110-0ubuntu1~22.04.1) @ jammy | 2026-07-11 | ubuntu |
| ubuntu | netstandard-targeting-pack-2.1-7.0 (7.0.110-0ubuntu1~23.04.1) @ lunar | 2026-07-11 | ubuntu |
| redhat | dotnet6.0-0:6.0.121-1.el8_8 | 2023-08-14 | redhat |
| redhat | dotnet7.0-0:7.0.110-1.el9_2 | 2023-08-14 | redhat |
| redhat | dotnet6.0-0:6.0.121-1.el9_2 | 2023-08-14 | redhat |
| redhat | dotnet6.0-0:6.0.121-1.el9_0 | 2023-08-14 | redhat |
| redhat | rh-dotnet60-dotnet-0:6.0.121-1.el7_9 | 2023-08-14 | redhat |
| redhat | dotnet7.0-0:7.0.110-1.el8_8 | 2023-08-14 | redhat |
| redhat | dotnet6.0-0:6.0.121-1.el8_6 | 2023-08-14 | redhat |
Patches are aggregated from vendor advisories (Red Hat, Microsoft, Cisco, GitHub) and package ecosystems (OSV, GHSA). Multiple rows for the same upstream release have been deduplicated.
Affected Packages
(5 across 1 ecosystem)
NuGet(5)
| Package | Vulnerable range | Fixed in | Dependents |
|---|---|---|---|
| Microsoft.AspNetCore.App.Runtime.win-arm64 | 6.0.0 ... 6.0.9 (20 versions) | 6.0.21 | — |
| Microsoft.AspNetCore.App.Runtime.win-x64 | 6.0.0 ... 6.0.9 (20 versions) | 6.0.21 | — |
| Microsoft.AspNetCore.App.Runtime.win-x86 | 6.0.0 ... 6.0.9 (20 versions) | 6.0.21 | — |
| Microsoft.AspNetCore.Server.Kestrel.Transport.Libuv | 0.0.1-alpha ... 2.1.3 (15 versions) | 2.1.40 | — |
| Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets | 0.0.1-alpha ... 2.1.3 (10 versions) | 2.1.40 | — |
Weakness Classification(1)
MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.
All Vendor Advisories
(10)
Every vendor that published an advisory referencing this CVE — pulled from our cve_vendor_advisories aggregation. Click any row for the vendor's original advisory page.
- Microsoft MSRCCVE-2023-381802023-08-08
.NET and Visual Studio Denial of Service Vulnerability
- Red HatRHSA-2023:4639IMPORTANT2023-08-08
RHSA-2023:4639 — Important
- Red HatRHSA-2023:4640IMPORTANT2023-08-08
RHSA-2023:4640 — Important
- Red HatRHSA-2023:4641IMPORTANT2023-08-08
RHSA-2023:4641 — Important
- Red HatRHSA-2023:4642IMPORTANT2023-08-08
RHSA-2023:4642 — Important
- Red HatRHSA-2023:4643IMPORTANT2023-08-08
RHSA-2023:4643 — Important
- Red HatRHSA-2023:4644IMPORTANT2023-08-08
RHSA-2023:4644 — Important
- Red HatRHSA-2023:4645IMPORTANT2023-08-08
RHSA-2023:4645 — Important
- UbuntuUSN-6278-1MEDIUM
.NET vulnerabilities
- UbuntuUSN-6278-2MEDIUM
.NET vulnerabilities
Data Freshness Timeline
(refreshed 98× in last 7d / 422× in last 30d)
Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.
Showing the most recent 100 of 611 total refreshes for this CVE.
- 2026-07-12 02:37 UTCEG score recompute
- 2026-07-12 02:37 UTCVendor advisory
- 2026-07-11 22:42 UTCEG score recompute
- 2026-07-11 22:42 UTCVendor advisory
- 2026-07-11 18:47 UTCEG score recompute
- 2026-07-11 18:47 UTCVendor advisory
- 2026-07-11 14:52 UTCEG score recompute
- 2026-07-11 14:52 UTCVendor advisory
- 2026-07-11 10:57 UTCEG score recompute
- 2026-07-11 10:57 UTCVendor advisory
- 2026-07-11 08:26 UTCEPSS rescore
- 2026-07-11 08:25 UTCEPSS rescore
- 2026-07-11 07:02 UTCEG score recompute
- 2026-07-11 07:02 UTCVendor advisory
- 2026-07-11 03:07 UTCEG score recompute
- 2026-07-11 03:07 UTCVendor advisory
- 2026-07-10 23:12 UTCEG score recompute
- 2026-07-10 23:12 UTCVendor advisory
- 2026-07-10 19:17 UTCEG score recompute
- 2026-07-10 19:17 UTCVendor advisory
- 2026-07-10 17:52 UTCCISA KEV update
- 2026-07-10 15:22 UTCEG score recompute
- 2026-07-10 15:22 UTCVendor advisory
- 2026-07-10 11:25 UTCEG score recompute
- 2026-07-10 11:25 UTCVendor advisory
Show 75 moreShow fewer
- 2026-07-10 07:30 UTCEG score recompute
- 2026-07-10 07:30 UTCVendor advisory
- 2026-07-10 03:34 UTCEG score recompute
- 2026-07-10 03:34 UTCVendor advisory
- 2026-07-09 23:39 UTCEG score recompute
- 2026-07-09 23:39 UTCVendor advisory
- 2026-07-09 19:43 UTCEG score recompute
- 2026-07-09 19:43 UTCVendor advisory
- 2026-07-09 19:08 UTCEPSS rescore
- 2026-07-09 19:08 UTCEPSS rescore
- 2026-07-09 15:48 UTCEG score recompute
- 2026-07-09 15:48 UTCVendor advisory
- 2026-07-09 11:51 UTCEG score recompute
- 2026-07-09 11:51 UTCVendor advisory
- 2026-07-09 07:56 UTCEG score recompute
- 2026-07-09 07:56 UTCVendor advisory
- 2026-07-09 04:01 UTCEG score recompute
- 2026-07-09 04:01 UTCVendor advisory
- 2026-07-09 00:06 UTCEG score recompute
- 2026-07-09 00:06 UTCVendor advisory
- 2026-07-08 20:11 UTCEG score recompute
- 2026-07-08 20:11 UTCVendor advisory
- 2026-07-08 16:15 UTCEG score recompute
- 2026-07-08 16:15 UTCVendor advisory
- 2026-07-08 15:13 UTCEPSS rescore
- 2026-07-08 12:21 UTCEG score recompute
- 2026-07-08 12:21 UTCVendor advisory
- 2026-07-08 08:24 UTCEG score recompute
- 2026-07-08 08:24 UTCVendor advisory
- 2026-07-08 04:29 UTCEG score recompute
- 2026-07-08 04:29 UTCVendor advisory
- 2026-07-08 00:34 UTCEG score recompute
- 2026-07-08 00:34 UTCVendor advisory
- 2026-07-07 20:39 UTCEG score recompute
- 2026-07-07 20:39 UTCVendor advisory
- 2026-07-07 19:01 UTCCISA KEV update
- 2026-07-07 17:16 UTCCISA KEV update
- 2026-07-07 16:45 UTCEG score recompute
- 2026-07-07 16:45 UTCVendor advisory
- 2026-07-07 13:44 UTCEPSS rescore
- 2026-07-07 12:49 UTCEG score recompute
- 2026-07-07 12:49 UTCVendor advisory
- 2026-07-07 08:54 UTCEG score recompute
- 2026-07-07 08:54 UTCVendor advisory
- 2026-07-07 04:59 UTCEG score recompute
- 2026-07-07 04:59 UTCVendor advisory
- 2026-07-07 01:03 UTCEG score recompute
- 2026-07-07 01:03 UTCVendor advisory
- 2026-07-06 21:07 UTCEG score recompute
- 2026-07-06 21:07 UTCVendor advisory
- 2026-07-06 17:10 UTCEG score recompute
- 2026-07-06 17:10 UTCVendor advisory
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 16:26 UTCEPSS rescore
- 2026-07-06 13:15 UTCEG score recompute
- 2026-07-06 13:15 UTCVendor advisory
- 2026-07-06 09:17 UTCEG score recompute
- 2026-07-06 09:17 UTCVendor advisory
- 2026-07-06 05:21 UTCEG score recompute
- 2026-07-06 05:21 UTCVendor advisory
- 2026-07-06 02:21 UTCEPSS rescore
- 2026-07-06 01:26 UTCEG score recompute
- 2026-07-06 01:26 UTCVendor advisory
- 2026-07-05 21:31 UTCEG score recompute
- 2026-07-05 21:31 UTCVendor advisory
- 2026-07-05 17:36 UTCEG score recompute
- 2026-07-05 17:36 UTCVendor advisory
- 2026-07-05 13:40 UTCEG score recompute
- 2026-07-05 13:40 UTCVendor advisory
- 2026-07-05 09:45 UTCEG score recompute
- 2026-07-05 09:45 UTCVendor advisory
- 2026-07-05 05:48 UTCEG score recompute
- 2026-07-05 05:48 UTCVendor advisory
- 2026-07-05 02:29 UTCEPSS rescore
- 2026-07-05 01:51 UTCEG score recompute
Frequently asked(6)
What is CVE-2023-38180?
When was CVE-2023-38180 disclosed?
Is CVE-2023-38180 actively exploited?
What is the CVSS score of CVE-2023-38180?
Which products are affected by CVE-2023-38180?
How do I remediate CVE-2023-38180?
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2023-38180
Is Your Infrastructure Affected by CVE-2023-38180?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.