Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
.NET 8.0 Security Update Available to Fix Multiple Risks
RLSA-2026:8469
Summary
If you're using .NET, update to .NET SDK 8.0.126 and .NET Runtime 8.0.26 to fix four security risks that could allow hackers to crash your system or bypass security controls. This update is available now, so apply it as soon as possible to protect your systems.
What to do
- Update dotnet8.0 to version 0:8.0.126-1.el9_7.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Rocky Linux:9 | – | dotnet8.0 |
< 0:8.0.126-1.el9_7 Fix: upgrade to 0:8.0.126-1.el9_7
|
Original title
Important: .NET 8.0 security update
Original description
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.126 and .NET Runtime 8.0.26.Security Fix(es):
* dotnet: .NET: Security Bypass and Denial of Service Vulnerability (CVE-2026-26171)
* dotnet: .NET: Denial of Service via stack overflow (CVE-2026-32203)
* dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform (CVE-2026-33116)
* dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw (CVE-2026-32178)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 8.0.126 and .NET Runtime 8.0.26.Security Fix(es):
* dotnet: .NET: Security Bypass and Denial of Service Vulnerability (CVE-2026-26171)
* dotnet: .NET: Denial of Service via stack overflow (CVE-2026-32203)
* dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform (CVE-2026-33116)
* dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw (CVE-2026-32178)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
osv CVSS3.1
7.5
- https://errata.rockylinux.org/RLSA-2026:8469 Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457739 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457740 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457741 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457781 Third Party Advisory
Published: 19 Apr 2026 · Updated: 19 Apr 2026 · First seen: 19 Apr 2026