CVE-2023-36435: 
vulnerability analysis and mitigation

Microsoft QUIC Denial of Service Vulnerability (CVE-2023-36435) was identified affecting Microsoft Windows systems and .NET framework. The vulnerability was discovered and reported to Microsoft, with the initial CVE record being created on June 21, 2023, and public disclosure occurring on October 10, 2023. The affected systems include Windows 11 versions 21H2 and 22H2, Windows Server 2022, and .NET versions 7.0.0 through 7.0.12 (NVD).

The vulnerability is classified as an Uncontrolled Resource Consumption issue (CWE-400) that manifests as a memory leak in MsQuic.dll. Microsoft has assigned this vulnerability a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating that it is network-accessible, requires low attack complexity, and needs no privileges or user interaction to exploit (NVD).

The vulnerability can lead to a denial of service condition through uncontrolled resource consumption. When successfully exploited, it primarily affects the availability of the system through a memory leak in the QUIC implementation, potentially causing system resource exhaustion (Red Hat).

Microsoft has released security updates to address this vulnerability through various KB patches including KB5031358 for Windows 11 21H2, KB5031354 for Windows 11 22H2, and KB5031364 for Windows Server 2022. Users are advised to apply these security updates to mitigate the vulnerability (Rapid7).