{
  "affected": [
    {
      "ranges": [
        {
          "database_specific": {
            "versions": [
              {
                "introduced": "8.0"
              },
              {
                "fixed": "8.0.22"
              },
              {
                "introduced": "9.0"
              },
              {
                "fixed": "9.0.11"
              }
            ]
          },
          "events": [
            {
              "introduced": "3f1acb59718cadf111a0a796681e3d3509bb3381"
            },
            {
              "fixed": "ee417479933278bb5aadc5944706a96b5ef74a5d"
            },
            {
              "introduced": "af22effae4069a5dfb9b0735859de48820104f5b"
            },
            {
              "fixed": "d3aba8fe1a0d0f5c145506f292b72ea9d28406fc"
            },
            {
              "fixed": "96ccc40a0e095424b19506e8268b9b1a3e23d6a7"
            }
          ],
          "repo": "https://github.com/dotnet/aspnetcore",
          "type": "GIT"
        }
      ]
    }
  ],
  "details": "ASP.NET Core Kestrel in Microsoft .NET 8.0 before 8.0.22 and .NET 9.0 before 9.0.11 allows a remote attacker to cause excessive CPU consumption by sending a crafted QUIC packet, because of an incorrect exit condition for HTTP/3 Encoder/Decoder stream processing.",
  "id": "CVE-2026-25667",
  "modified": "2026-04-01T23:09:59.811335630Z",
  "published": "2026-03-19T19:16:19.880Z",
  "references": [
    {
      "type": "FIX",
      "url": "https://github.com/dotnet/aspnetcore/commit/96ccc40a0e095424b19506e8268b9b1a3e23d6a7#diff-667d5b3693f93a0f706ab211428998b210862f9b885d917104d2013118312626"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/IsaJafarov/Kestrel-DoS"
    }
  ]
}