.NET 10 Security: Critical Denial of Service Fixes for Public APIs

Microsoft has released a critical servicing update for .NET 10, addressing a high-severity Denial of Service (DoS) vulnerability that impacts public-facing APIs. The vulnerability, which resides in the HTTP/3 implementation of the Kestrel web server, allows a remote attacker to crash the server with minimal effort. This deep dive explores the technical details of the flaw and the architectural changes introduced in the latest patch.

The Vulnerability: QUIC Stream Exhaustion

The core of the issue lies in how .NET 10's HTTP/3 stack manages QUIC (Quick UDP Internet Connections) streams. Unlike HTTP/1.1 or HTTP/2, HTTP/3 uses the QUIC protocol, which allows for multiple independent streams over a single connection. The vulnerability is triggered by a specialized "stream-stuffing" attack, where an attacker opens thousands of concurrent unidirectional streams but never sends data on them.

In the vulnerable version of .NET 10, Kestrel's stream management logic failed to properly enforce the MaxConcurrentStreams limit for these idle unidirectional streams. This led to an unbounded allocation of kernel-mode memory for the QUIC control structures, eventually causing the host process to run out of memory (OOM) and crash. Because this attack occurs at the transport layer, it bypasses traditional application-level rate limiting and middleware.

Kestrel Hardening: The Architectural Fix

The March 2026 update introduces a new Resource Consumption Guard within the Kestrel server. This guard implements a more aggressive cleanup strategy for idle QUIC streams. Instead of waiting for a timeout, the server now tracks the "velocity" of new stream creations. If a single connection attempts to open streams faster than they are being consumed, Kestrel will now proactively close the connection and blacklist the offending IP at the socket layer.

Furthermore, Microsoft has refactored the System.Net.Quic library to use a more memory-efficient representation for idle streams. By moving stream metadata into a pre-allocated pool, the impact of a stream-stuffing attack is capped. Even under extreme load, the server's memory usage remains predictable, ensuring that the application remains responsive to legitimate traffic.

Impact on Public APIs and Microservices

This DoS vulnerability is particularly dangerous for Microservices architectures where services communicate over public or semi-public networks. An attacker could theoretically take down an entire backend mesh by targeting a single vulnerable edge service. The gRPC over HTTP/3 implementation in .NET 10 is also affected, making high-performance internal communication a potential target.

Organizations using Azure Kubernetes Service (AKS) or AWS EKS with .NET 10 workloads should prioritize this update. While ingress controllers (like Nginx or Azure Front Door) provide some protection, a direct-to-pod attack (common in multi-tenant environments) could still bypass these external defenses. Patching at the runtime level is the only way to ensure Defense-in-Depth.

Best Practices for .NET 10 API Security

Beyond applying the latest patch, Microsoft recommends several configuration changes for public-facing APIs. Developers should explicitly set the Limits.Http3.MaxRequestHeaderFieldSize and Limits.Http3.HeaderTableSize to conservative values. Additionally, enabling Response Buffering can help mitigate the impact of "Slowloris-style" attacks that target the outgoing response stream.

For high-traffic applications, the use of YARP (Yet Another Reverse Proxy) as a dedicated edge-shield is highly recommended. YARP 3.1, released alongside the .NET 10 update, includes native support for the new resource consumption guards, providing an additional layer of protection before traffic reaches the core application logic.

Conclusion: The Resilience of the .NET Ecosystem

The rapid response to this DoS vulnerability highlights the maturity of the .NET 10 ecosystem. By addressing the flaw at the protocol level and providing clear architectural guidance, Microsoft has ensured that .NET remains a top choice for building secure, high-performance cloud applications. Developers are urged to update to .NET 10.0.4 immediately to protect their infrastructure from this critical threat.