Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
.NET Framework: Critical Security Updates Available
RLSA-2026:8471
Summary
New versions of .NET are available to fix four serious security issues, including the ability for attackers to bypass security, cause denial of service, or inject malicious code into email. The updates should be applied as soon as possible to prevent potential attacks. Affected users should upgrade to .NET SDK 10.0.106 and .NET Runtime 10.0.6.
What to do
- Update dotnet10.0 to version 0:10.0.106-1.el9_7.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| Rocky Linux:9 | – | dotnet10.0 |
< 0:10.0.106-1.el9_7 Fix: upgrade to 0:10.0.106-1.el9_7
|
Original title
Important: .NET 10.0 security update
Original description
.NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 10.0.106 and .NET Runtime 10.0.6.Security Fix(es):
* dotnet: .NET: Security Bypass and Denial of Service Vulnerability (CVE-2026-26171)
* dotnet: .NET: Denial of Service via stack overflow (CVE-2026-32203)
* dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform (CVE-2026-33116)
* dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw (CVE-2026-32178)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 10.0.106 and .NET Runtime 10.0.6.Security Fix(es):
* dotnet: .NET: Security Bypass and Denial of Service Vulnerability (CVE-2026-26171)
* dotnet: .NET: Denial of Service via stack overflow (CVE-2026-32203)
* dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform (CVE-2026-33116)
* dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw (CVE-2026-32178)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
osv CVSS3.1
7.5
- https://errata.rockylinux.org/RLSA-2026:8471 Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457739 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457740 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457741 Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2457781 Third Party Advisory
Published: 19 Apr 2026 · Updated: 19 Apr 2026 · First seen: 19 Apr 2026