{"id":"USN-8215-1","summary":"dotnet10 vulnerability","details":"It was discovered that the Microsoft.AspNetCore.DataProtection library in\n.NET did not properly verify cryptographic signatures under certain\nconditions. A remote attacker could possibly use this issue to elevate\nprivileges.","modified":"2026-04-29T11:44:21.914086938Z","published":"2026-04-28T07:10:08Z","related":["UBUNTU-CVE-2026-40372"],"upstream":["CVE-2026-40372","UBUNTU-CVE-2026-40372"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8215-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-40372"}],"affected":[{"package":{"name":"dotnet10","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/dotnet10@10.0.107-10.0.7-0ubuntu1~24.04.1?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"10.0.107-10.0.7-0ubuntu1~24.04.1"}]}],"versions":["10.0.100-10.0.0-0ubuntu1~24.04.1","10.0.101-10.0.1-0ubuntu1~24.04.2","10.0.103-10.0.3-0ubuntu1~24.04.1","10.0.104-10.0.4-0ubuntu1~24.04.1","10.0.105-10.0.5-0ubuntu1~24.04.1","10.0.106-10.0.6-0ubuntu1~24.04.1"],"ecosystem_specific":{"binaries":[{"binary_name":"aspnetcore-runtime-10.0","binary_version":"10.0.7-0ubuntu1~24.04.1"},{"binary_name":"aspnetcore-runtime-dbg-10.0","binary_version":"10.0.7-0ubuntu1~24.04.1"},{"binary_name":"aspnetcore-targeting-pack-10.0","binary_version":"10.0.7-0ubuntu1~24.04.1"},{"binary_name":"dotnet-apphost-pack-10.0","binary_version":"10.0.7-0ubuntu1~24.04.1"},{"binary_name":"dotnet-host-10.0","binary_version":"10.0.7-0ubuntu1~24.04.1"},{"binary_name":"dotnet-hostfxr-10.0","binary_version":"10.0.7-0ubuntu1~24.04.1"},{"binary_name":"dotnet-runtime-10.0","binary_version":"10.0.7-0ubuntu1~24.04.1"},{"binary_name":"dotnet-runtime-dbg-10.0","binary_version":"10.0.7-0ubuntu1~24.04.1"},{"binary_name":"dotnet-sdk-10.0","binary_version":"10.0.107-0ubuntu1~24.04.1"},{"binary_name":"dotnet-sdk-10.0-source-built-artifacts","binary_version":"10.0.107-0ubuntu1~24.04.1"},{"binary_name":"dotnet-sdk-aot-10.0","binary_version":"10.0.107-0ubuntu1~24.04.1"},{"binary_name":"dotnet-sdk-dbg-10.0","binary_version":"10.0.107-0ubuntu1~24.04.1"},{"binary_name":"dotnet-targeting-pack-10.0","binary_version":"10.0.7-0ubuntu1~24.04.1"},{"binary_name":"dotnet-templates-10.0","binary_version":"10.0.107-0ubuntu1~24.04.1"},{"binary_name":"dotnet10","binary_version":"10.0.107-10.0.7-0ubuntu1~24.04.1"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:24.04:LTS","cves":[{"id":"CVE-2026-40372","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8215-1.json"}},{"package":{"name":"dotnet10","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/dotnet10@10.0.107-10.0.7-0ubuntu1~25.10.1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"10.0.107-10.0.7-0ubuntu1~25.10.1"}]}],"versions":["10.0.100-10.0.0~rc1-0ubuntu1","10.0.100-10.0.0~rc2-0ubuntu1~25.10.2","10.0.100-10.0.0-0ubuntu1~25.10.1","10.0.101-10.0.1-0ubuntu1~25.10.2","10.0.103-10.0.3-0ubuntu1~25.10.1","10.0.104-10.0.4-0ubuntu1~25.10.1","10.0.105-10.0.5-0ubuntu1~25.10.1","10.0.106-10.0.6-0ubuntu1~25.10.1"],"ecosystem_specific":{"binaries":[{"binary_name":"aspnetcore-runtime-10.0","binary_version":"10.0.7-0ubuntu1~25.10.1"},{"binary_name":"aspnetcore-runtime-dbg-10.0","binary_version":"10.0.7-0ubuntu1~25.10.1"},{"binary_name":"aspnetcore-targeting-pack-10.0","binary_version":"10.0.7-0ubuntu1~25.10.1"},{"binary_name":"dotnet-apphost-pack-10.0","binary_version":"10.0.7-0ubuntu1~25.10.1"},{"binary_name":"dotnet-host-10.0","binary_version":"10.0.7-0ubuntu1~25.10.1"},{"binary_name":"dotnet-hostfxr-10.0","binary_version":"10.0.7-0ubuntu1~25.10.1"},{"binary_name":"dotnet-runtime-10.0","binary_version":"10.0.7-0ubuntu1~25.10.1"},{"binary_name":"dotnet-runtime-dbg-10.0","binary_version":"10.0.7-0ubuntu1~25.10.1"},{"binary_name":"dotnet-sdk-10.0","binary_version":"10.0.107-0ubuntu1~25.10.1"},{"binary_name":"dotnet-sdk-10.0-source-built-artifacts","binary_version":"10.0.107-0ubuntu1~25.10.1"},{"binary_name":"dotnet-sdk-aot-10.0","binary_version":"10.0.107-0ubuntu1~25.10.1"},{"binary_name":"dotnet-sdk-dbg-10.0","binary_version":"10.0.107-0ubuntu1~25.10.1"},{"binary_name":"dotnet-targeting-pack-10.0","binary_version":"10.0.7-0ubuntu1~25.10.1"},{"binary_name":"dotnet-templates-10.0","binary_version":"10.0.107-0ubuntu1~25.10.1"},{"binary_name":"dotnet10","binary_version":"10.0.107-10.0.7-0ubuntu1~25.10.1"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"ecosystem":"Ubuntu:25.10","cves":[{"id":"CVE-2026-40372","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}]},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8215-1.json"}}],"schema_version":"1.7.5"}