GHSA-p86g-xrr2-pf7cHighCVSS 7.5
CoreWCF: Pre-authentication infinite-loop CPU exhaustion in CoreWCF net.tcp / net.pipe / net.uds framing handshake
🔗 CVE IDs covered (1)
📋 Description
Impact
An unauthenticated remote attacker can pin one server thread‑pool worker at 100 % CPU per connection. With a few connections, the CPU usage can be exhausted.
Preconditions
An attacker being able to reach a service which is exposing an endpoint using one of NetTcpBinding, NetNamedPipeBinding, or UnixDomainSocketBinding.
Patches
Fixed in CoreWCF v1.8.1 and v1.9.1
Workarounds
None
🎯 Affected products2
- nuget/CoreWCF.NetFramingBase:< 1.8.1
- nuget/CoreWCF.NetFramingBase:>= 1.9.0, < 1.9.1