On April 10, 2018, Microsoft released a security update, CVE-2018-1037 , describing how Visual Studio can improperly disclose limited contents of uninitialized memory while compiling program database (PDB) files.

The memory leaked is limited to typically low-risk variables used in the application build environment, and only information that the Visual Studio executable uses when compiling projects. If your PDB/symbol files are shared publicly, this information could be extracted.

Visual Studio versions have been patched, so we recommend installing the latest security updates for your Visual Studio version.

While the security issue is unlikely to be exploited, KB4131751 was released to verify existing PDB files. Symbols served from MyGet symbols feeds are automatically checked for this vulnerability, and updated when necessary.

This security fix is gradually rolling out across all of our deployments.

Happy packaging!