CVE-2025-21172: 
vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2025-21172) was discovered in .NET and Visual Studio. The vulnerability affects multiple versions of .NET (8.0.0, 9.0.0) and Visual Studio versions 2017 through 2022, running on various operating systems including Windows, Linux, and macOS. The vulnerability was disclosed on January 14, 2025 (NVD).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The flaw is associated with CWE-190 (Integer Overflow or Wraparound) and CWE-122 (Heap-based Buffer Overflow). The vulnerability requires user interaction and can be exploited remotely over the network, with no privileges required (Red Hat).

If successfully exploited, this vulnerability could allow an attacker to achieve remote code execution by loading a specially crafted file in .NET. The vulnerability has high impacts on confidentiality, integrity, and availability of the affected systems (Red Hat).

Microsoft has released security updates to address this vulnerability. For Ubuntu systems, fixes have been released for dotnet8 (version 8.0.112-8.0.12) and dotnet9 (version 9.0.102-9.0.1) in various distributions. Red Hat recommends updating the affected packages as soon as possible, as no practical mitigation has been identified (Ubuntu, Red Hat).