RHSA-2026:9077
Vulnerability from csaf_redhat - Published: 2026-04-20 15:39 - Updated: 2026-05-04 02:52Summary
Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update
Severity
Important
Notes
Topic: An update for Red Hat Hardened Images RPMs is now available.
Details: This update includes the following RPMs:
dotnet10.0:
* aspnetcore-runtime-10.0-10.0.6-1.hum1 (aarch64, x86_64)
* aspnetcore-runtime-dbg-10.0-10.0.6-1.hum1 (aarch64, x86_64)
* aspnetcore-targeting-pack-10.0-10.0.6-1.hum1 (aarch64, x86_64)
* dotnet-apphost-pack-10.0-10.0.6-1.hum1 (aarch64, x86_64)
* dotnet-host-10.0.6-1.hum1 (aarch64, x86_64)
* dotnet-hostfxr-10.0-10.0.6-1.hum1 (aarch64, x86_64)
* dotnet-runtime-10.0-10.0.6-1.hum1 (aarch64, x86_64)
* dotnet-runtime-dbg-10.0-10.0.6-1.hum1 (aarch64, x86_64)
* dotnet-sdk-10.0-10.0.106-1.hum1 (aarch64, x86_64)
* dotnet-sdk-10.0-source-built-artifacts-10.0.106-1.hum1 (aarch64, x86_64)
* dotnet-sdk-aot-10.0-10.0.106-1.hum1 (aarch64, x86_64)
* dotnet-sdk-dbg-10.0-10.0.106-1.hum1 (aarch64, x86_64)
* dotnet-targeting-pack-10.0-10.0.6-1.hum1 (aarch64, x86_64)
* dotnet-templates-10.0-10.0.106-1.hum1 (aarch64, x86_64)
* dotnet10.0-10.0.106-1.hum1.src (src)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in .NET. Incorrect default permissions allow an authorized local attacker to exploit this vulnerability. This can lead to local privilege escalation, enabling the attacker to gain higher access rights on the system.
7.8 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:9077
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in .NET. A remote attacker could exploit a vulnerability related to unsafe transforms in EncryptedXml. This could lead to a Denial of Service (DoS), making the service unavailable, and a bypass of security features.
7.5 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:9077
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in the .NET runtime (System.Net.Mail) in how email address data is parsed. Improper neutralization of special characters, specifically carriage return and line feed (CR/LF) sequences, may allow specially crafted email address input to be interpreted incorrectly. An attacker could exploit this issue to perform email spoofing by injecting additional headers or altering how the email address is processed during SMTP operations
7.5 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:9077
Workaround
Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security's standards for usability, deployment, applicability, or stability. Customers are advised to apply the relevant security updates when they become available.
A flaw was found in .NET. A remote attacker could exploit a stack overflow vulnerability during encrypted key nested decryption, leading to a Denial of Service (DoS). This could make the affected system unavailable to legitimate users.
7.5 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:9077
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
A flaw was found in .NET. A remote attacker could exploit this vulnerability by crafting a malicious XML document that triggers an infinite recursion within the XmlDecryptionTransform component. This could lead to a Denial of Service (DoS), making the affected system unresponsive.
7.5 (High)
Vendor Fix
For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://images.redhat.com/
https://access.redhat.com/errata/RHSA-2026:9077
Workaround
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
References
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for Red Hat Hardened Images RPMs is now available.",
"title": "Topic"
},
{
"category": "general",
"text": "This update includes the following RPMs:\n\ndotnet10.0:\n * aspnetcore-runtime-10.0-10.0.6-1.hum1 (aarch64, x86_64)\n * aspnetcore-runtime-dbg-10.0-10.0.6-1.hum1 (aarch64, x86_64)\n * aspnetcore-targeting-pack-10.0-10.0.6-1.hum1 (aarch64, x86_64)\n * dotnet-apphost-pack-10.0-10.0.6-1.hum1 (aarch64, x86_64)\n * dotnet-host-10.0.6-1.hum1 (aarch64, x86_64)\n * dotnet-hostfxr-10.0-10.0.6-1.hum1 (aarch64, x86_64)\n * dotnet-runtime-10.0-10.0.6-1.hum1 (aarch64, x86_64)\n * dotnet-runtime-dbg-10.0-10.0.6-1.hum1 (aarch64, x86_64)\n * dotnet-sdk-10.0-10.0.106-1.hum1 (aarch64, x86_64)\n * dotnet-sdk-10.0-source-built-artifacts-10.0.106-1.hum1 (aarch64, x86_64)\n * dotnet-sdk-aot-10.0-10.0.106-1.hum1 (aarch64, x86_64)\n * dotnet-sdk-dbg-10.0-10.0.106-1.hum1 (aarch64, x86_64)\n * dotnet-targeting-pack-10.0-10.0.6-1.hum1 (aarch64, x86_64)\n * dotnet-templates-10.0-10.0.106-1.hum1 (aarch64, x86_64)\n * dotnet10.0-10.0.106-1.hum1.src (src)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:9077",
"url": "https://access.redhat.com/errata/RHSA-2026:9077"
},
{
"category": "external",
"summary": "https://images.redhat.com/",
"url": "https://images.redhat.com/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-26131",
"url": "https://access.redhat.com/security/cve/CVE-2026-26131"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/",
"url": "https://access.redhat.com/security/updates/classification/"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32178",
"url": "https://access.redhat.com/security/cve/CVE-2026-32178"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-33116",
"url": "https://access.redhat.com/security/cve/CVE-2026-33116"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-26171",
"url": "https://access.redhat.com/security/cve/CVE-2026-26171"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/cve/CVE-2026-32203",
"url": "https://access.redhat.com/security/cve/CVE-2026-32203"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_9077.json"
}
],
"title": "Red Hat Security Advisory: Red Hat Hardened Images RPMs bug fix and enhancement update",
"tracking": {
"current_release_date": "2026-05-04T02:52:10+00:00",
"generator": {
"date": "2026-05-04T02:52:10+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.7.7"
}
},
"id": "RHSA-2026:9077",
"initial_release_date": "2026-04-20T15:39:22+00:00",
"revision_history": [
{
"date": "2026-04-20T15:39:22+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-04-27T12:08:02+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-04T02:52:10+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Hardened Images",
"product": {
"name": "Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:hummingbird:1"
}
}
}
],
"category": "product_family",
"name": "Red Hat Hardened Images"
},
{
"branches": [
{
"category": "product_version",
"name": "dotnet10-0-main@aarch64",
"product": {
"name": "dotnet10-0-main@aarch64",
"product_id": "dotnet10-0-main@aarch64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aspnetcore-runtime-10.0@10.0.6-1.hum1?arch=aarch64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-aarch64-rpms"
}
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "dotnet10-0-main@x86_64",
"product": {
"name": "dotnet10-0-main@x86_64",
"product_id": "dotnet10-0-main@x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/aspnetcore-runtime-10.0@10.0.6-1.hum1?arch=x86_64\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-x86_64-rpms"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "dotnet10-0-main@src",
"product": {
"name": "dotnet10-0-main@src",
"product_id": "dotnet10-0-main@src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/dotnet10.0@10.0.106-1.hum1?arch=src\u0026distro=hummingbird-20251124\u0026repository_id=public-hummingbird-source-rpms"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "dotnet10-0-main@aarch64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:dotnet10-0-main@aarch64"
},
"product_reference": "dotnet10-0-main@aarch64",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dotnet10-0-main@src as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:dotnet10-0-main@src"
},
"product_reference": "dotnet10-0-main@src",
"relates_to_product_reference": "Red Hat Hardened Images"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "dotnet10-0-main@x86_64 as a component of Red Hat Hardened Images",
"product_id": "Red Hat Hardened Images:dotnet10-0-main@x86_64"
},
"product_reference": "dotnet10-0-main@x86_64",
"relates_to_product_reference": "Red Hat Hardened Images"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-26131",
"cwe": {
"id": "CWE-276",
"name": "Incorrect Default Permissions"
},
"discovery_date": "2026-03-10T18:01:14.349643+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2446069"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in .NET. Incorrect default permissions allow an authorized local attacker to exploit this vulnerability. This can lead to local privilege escalation, enabling the attacker to gain higher access rights on the system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dotnet: .NET: Privilege escalation via incorrect default permissions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:dotnet10-0-main@src"
],
"known_not_affected": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-26131"
},
{
"category": "external",
"summary": "RHBZ#2446069",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2446069"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-26131",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26131"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-26131",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26131"
},
{
"category": "external",
"summary": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26131",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26131"
}
],
"release_date": "2026-03-10T17:05:09.057000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-20T15:39:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9077"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@src",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@src",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "dotnet: .NET: Privilege escalation via incorrect default permissions"
},
{
"cve": "CVE-2026-26171",
"cwe": {
"id": "CWE-776",
"name": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)"
},
"discovery_date": "2026-04-13T05:00:07.414000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2457739"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in .NET. A remote attacker could exploit a vulnerability related to unsafe transforms in EncryptedXml. This could lead to a Denial of Service (DoS), making the service unavailable, and a bypass of security features.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dotnet: .NET: Security Bypass and Denial of Service Vulnerability",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important impact vulnerability affecting .NET applications that utilize `EncryptedXml` for data encryption. An attacker could exploit unsafe transforms to achieve a denial of service or bypass security features. This impacts Red Hat Enterprise Linux and Fedora systems running affected .NET versions.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:dotnet10-0-main@src"
],
"known_not_affected": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-26171"
},
{
"category": "external",
"summary": "RHBZ#2457739",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457739"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-26171",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26171"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-26171",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26171"
}
],
"release_date": "2026-04-14T18:39:18.599000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-20T15:39:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9077"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@src",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@src",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "dotnet: .NET: Security Bypass and Denial of Service Vulnerability"
},
{
"cve": "CVE-2026-32178",
"cwe": {
"id": "CWE-138",
"name": "Improper Neutralization of Special Elements"
},
"discovery_date": "2026-04-13T08:04:44.681000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2457781"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .NET runtime (System.Net.Mail) in how email address data is parsed. Improper neutralization of special characters, specifically carriage return and line feed (CR/LF) sequences, may allow specially crafted email address input to be interpreted incorrectly. An attacker could exploit this issue to perform email spoofing by injecting additional headers or altering how the email address is processed during SMTP operations",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Important flaw in the .NET runtime\u0027s System.Net.Mail component affects Red Hat Enterprise Linux and Red Hat Hardened Images. Improper neutralization of carriage return and line feed sequences during email address parsing can lead to SMTP command or header injection, enabling email spoofing in applications utilizing the affected .NET versions for SMTP operations.\n\nThe impact is primarily related to how email data is handled and interpreted. By injecting crafted header content, an attacker may influence the structure of email messages and potentially expose sensitive information included in those messages to unintended recipients.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:dotnet10-0-main@src"
],
"known_not_affected": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32178"
},
{
"category": "external",
"summary": "RHBZ#2457781",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457781"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32178",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32178"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32178",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32178"
}
],
"release_date": "2026-04-14T18:41:05.485000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-20T15:39:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9077"
},
{
"category": "workaround",
"details": "Red Hat is not aware of a practical temporary workaround that fully mitigates this issue or meets Red Hat Product Security\u0027s standards for usability, deployment, applicability, or stability. Customers are advised to apply the relevant security updates when they become available.",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@src",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@src",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw"
},
{
"cve": "CVE-2026-32203",
"cwe": {
"id": "CWE-787",
"name": "Out-of-bounds Write"
},
"discovery_date": "2026-04-13T05:02:08.475000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2457740"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in .NET. A remote attacker could exploit a stack overflow vulnerability during encrypted key nested decryption, leading to a Denial of Service (DoS). This could make the affected system unavailable to legitimate users.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dotnet: .NET: Denial of Service via stack overflow",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in .NET, affecting Red Hat Enterprise Linux and Fedora. The flaw, a stack overflow in EncryptedKey nested decryption, could allow an attacker to cause a denial of service.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:dotnet10-0-main@src"
],
"known_not_affected": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-32203"
},
{
"category": "external",
"summary": "RHBZ#2457740",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457740"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-32203",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32203"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-32203",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32203"
}
],
"release_date": "2026-04-14T18:39:07.491000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-20T15:39:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9077"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@src",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@src",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "dotnet: .NET: Denial of Service via stack overflow"
},
{
"cve": "CVE-2026-33116",
"cwe": {
"id": "CWE-776",
"name": "Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)"
},
"discovery_date": "2026-04-13T05:12:13.834000+00:00",
"flags": [
{
"label": "vulnerable_code_not_present",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2457741"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in .NET. A remote attacker could exploit this vulnerability by crafting a malicious XML document that triggers an infinite recursion within the XmlDecryptionTransform component. This could lead to a Denial of Service (DoS), making the affected system unresponsive.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important denial of service vulnerability in .NET\u0027s XmlDecryptionTransform. An attacker could exploit this flaw by providing specially crafted XML data, leading to an infinite recursion and causing a denial of service in applications processing such data. This affects Red Hat Enterprise Linux versions 8, 9, and 10, as well as Fedora.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat Hardened Images:dotnet10-0-main@src"
],
"known_not_affected": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-33116"
},
{
"category": "external",
"summary": "RHBZ#2457741",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2457741"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-33116",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33116"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-33116",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33116"
}
],
"release_date": "2026-04-14T18:38:58.320000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-04-20T15:39:22+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\nhttps://images.redhat.com/",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:9077"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@src",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat Hardened Images:dotnet10-0-main@aarch64",
"Red Hat Hardened Images:dotnet10-0-main@src",
"Red Hat Hardened Images:dotnet10-0-main@x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…