Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
Important: .NET 9.0 security update to prevent attacks and crashes
RLSA-2026:8474
Summary
.NET version 9.0 has security updates to protect against malicious attacks and system crashes. These updates are important for anyone using .NET to prevent data breaches and ensure smooth system operation. We recommend updating to .NET SDK 9.0.116 and .NET Runtime 9.0.15 as soon as possible.
What to do
- Update dotnet9.0 to version 0:9.0.116-1.el9_7.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Rocky Linux:9 | – | dotnet9.0 |
< 0:9.0.116-1.el9_7 Fix: upgrade to 0:9.0.116-1.el9_7
|
Original title
Important: .NET 9.0 security update
Original description
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 9.0.116 and .NET Runtime 9.0.15.Security Fix(es):
* dotnet: .NET: Security Bypass and Denial of Service Vulnerability (CVE-2026-26171)
* dotnet: .NET: Denial of Service via stack overflow (CVE-2026-32203)
* dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform (CVE-2026-33116)
* dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw (CVE-2026-32178)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 9.0.116 and .NET Runtime 9.0.15.Security Fix(es):
* dotnet: .NET: Security Bypass and Denial of Service Vulnerability (CVE-2026-26171)
* dotnet: .NET: Denial of Service via stack overflow (CVE-2026-32203)
* dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform (CVE-2026-33116)
* dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw (CVE-2026-32178)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
osv CVSS3.1
7.5
- https://errata.rockylinux.org/RLSA-2026:8474 Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457739 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457740 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457741 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457781 Third Party Advisory
Published: 19 Apr 2026 · Updated: 19 Apr 2026 · First seen: 19 Apr 2026