CVE-2023-38180 allows remote attackers to cause a denial of service against ASP.NET Core applications served by Kestrel. The vulnerability arises from improper handling of HTTP/2 frames, leading to high CPU utilization on affected servers.

Developers managing production workloads on Windows Server with .NET 6 or 7 should treat this as a high-priority update. Applying the security patches and adding explicit connection limits prevents exploitation without requiring architecture changes.

#What the Vulnerability Actually Does

An attacker sends a continuous stream of HEADERS and CONTINUATION frames that never complete. Kestrel allocates resources for each stream and fails to release them promptly, exhausting available threads and memory.

#Who Needs to Act

  • Production sites using ASP.NET Core 6.0 or 7.0 prior to the August 2023 security updates
  • Any application exposing Kestrel directly to the internet without a reverse proxy enforcing stream limits
  • Services that have not yet upgraded to the current .NET 8 release train

#How to Mitigate Immediately

Begin by updating the .NET runtime and ASP.NET Core packages to the most recent patch level. Then add configuration to restrict HTTP/2 resource usage.

csharp 
builder.WebHost.ConfigureKestrel(options =>
{
    options.Limits.Http2.MaxStreamsPerConnection = 100;
    options.Limits.Http2.MaxFrameSize = 16384;
    options.Limits.MaxRequestBodySize = 10_000_000;
});
  • Restart the application pool or container after applying the configuration
  • Monitor CPU and memory metrics for 24 hours to confirm stability

#Ongoing Hardening Recommendations

Place Kestrel behind a hardened reverse proxy such as IIS that can enforce additional rate limiting. Review all third-party middleware for similar resource issues.

Schedule regular dependency scans using tools integrated into your CI pipeline to catch future advisories before they reach production.

Update to the patched runtime, enforce Kestrel stream limits, and monitor aggressively. These steps close the exposure for CVE-2023-38180 and reduce risk from similar HTTP/2 edge cases in the future.