USN-8553-1: .NET vulnerabilities

Publication date

15 July 2026

Overview

Several security issues were fixed in .NET.


Packages

  • dotnet10 - .NET CLI tools and runtime
  • dotnet8 - .NET CLI tools and runtime

Details

Artur Stetsko discovered that the .NET did not properly validate
authentication data. An attacker could possibly use this issue to elevate
privileges. (CVE-2026-47300)

Levi Broderick discovered that .NET did not properly handle XML encryption
during parsing. An attacker could possibly use this issue to consume
excessive resources, resulting in a denial of service. (CVE-2026-47302)

Pham Quang Minh discovered that .NET did not properly parse
authentication data. An attacker could possibly use this issue to bypass
authentication and elevate privileges. (CVE-2026-47303)

Levi Broderick discovered that .NET did not properly verify cryptographic
signatures during XML encryption. An attacker could possibly use this issue
to bypass security features over a network and access encrypted data.
(

Artur Stetsko discovered that the .NET did not properly validate
authentication data. An attacker could possibly use this issue to elevate
privileges. (CVE-2026-47300)

Levi Broderick discovered that .NET did not properly handle XML encryption
during parsing. An attacker could possibly use this issue to consume
excessive resources, resulting in a denial of service. (CVE-2026-47302)

Pham Quang Minh discovered that .NET did not properly parse
authentication data. An attacker could possibly use this issue to bypass
authentication and elevate privileges. (CVE-2026-47303)

Levi Broderick discovered that .NET did not properly verify cryptographic
signatures during XML encryption. An attacker could possibly use this issue
to bypass security features over a network and access encrypted data.
(CVE-2026-47304)

It was discovered that .NET did not properly validate input during TLS
handshakes. An attacker could possibly use this issue to cause .NET to
crash, resulting in a denial of service. (CVE-2026-50524)

Levi Broderick discovered that .NET did not properly handle resource
allocation during XML encryption. An attacker could possibly use this issue
to consume excessive resources, resulting in a denial of service.
(CVE-2026-50525)

Siwei Li discovered that .NET did not properly handle link resolution
before file access during the container image build process. A local
attacker could possibly use this issue to inject resources that could be
incorporated into container images built by other users on the same
machine. (CVE-2026-50526)

Levi Broderick discovered that .NET did not properly handle memory while
performing XML encryption. An attacker could possibly use this issue to
cause .NET to crash, resulting in a denial of service. (CVE-2026-50527)

Henrique Pereira discovered that .NET did not properly handle
authorization checks during TLS/SSL connections. An attacker could
possibly use this issue to bypass authorization checks during secure
communications. (CVE-2026-50528)

It was discovered that .NET did not properly handle resource allocation
during XML encryption. An attacker could possibly use this issue to
consume excessive resources, resulting in a denial of service.
(CVE-2026-50648)

Miha Zupan discovered that .NET did not properly limit resource
allocation when handling HTTP/2 requests. An attacker could possibly use
this issue to consume excessive resources, resulting in a denial of
service. (CVE-2026-50651)

It was discovered that the .NET SMTP client did not properly handle the
encoding or escaping of output. An attacker could possibly use this issue
to spoof messages during message routing. (CVE-2026-50659)

It was discovered that .NET did not properly validate resource types when
parsing X.509 certificates. An attacker could possibly use this issue to
cause .NET to crash, resulting in a denial of service. (CVE-2026-57108)


Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:


Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.


Have additional questions?

Talk to a member of the team ›