{"id":"USN-8216-1","summary":"dotnet10 vulnerabilities","details":"Ludvig Pedersen discovered that the System.Security.Cryptography.Xml\nlibrary in .NET incorrectly handled certain XML inputs. An attacker could\npossibly use this issue to consume excessive resources, resulting in a\ndenial of service. (CVE-2026-33116, CVE-2026-26171)\n\nLudvig Pedersen and Kevin Jones discovered that the\nSystem.Security.Cryptography.Xml library in .NET incorrectly handled\ncertain XML inputs. An attacker could possibly use this issue to cause\n.NET to crash, resulting in a denial of service. (CVE-2026-32203)\n\nLudvig Pedersen discovered that the System.Net.Mail component in .NET\nincorrectly handled certain inputs. An attacker could possibly use this\nissue to perform a network spoofing attack. (CVE-2026-32178)\n\nIt was discovered that the Microsoft.AspNetCore.DataProtection library in\n.NET did not properly verify cryptographic signatures under certain\nconditions. A remote attacker could possibly use this issue to elevate\nprivileges. (CVE-2026-40372)","modified":"2026-05-20T16:04:02.635231365Z","published":"2026-04-28T07:32:20Z","related":["UBUNTU-CVE-2026-26171","UBUNTU-CVE-2026-32178","UBUNTU-CVE-2026-32203","UBUNTU-CVE-2026-33116","UBUNTU-CVE-2026-40372"],"upstream":["UBUNTU-CVE-2026-26171","UBUNTU-CVE-2026-32178","UBUNTU-CVE-2026-32203","UBUNTU-CVE-2026-33116","UBUNTU-CVE-2026-40372"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-8216-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-26171"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-32178"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-32203"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-33116"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2026-40372"}],"affected":[{"package":{"name":"dotnet10","ecosystem":"Ubuntu:26.04:LTS","purl":"pkg:deb/ubuntu/dotnet10?arch=source&distro=resolute"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"10.0.107-10.0.7-0ubuntu1~26.04.1"}]}],"versions":["10.0.100-10.0.0~rc1-0ubuntu1","10.0.100-10.0.0~rc2-0ubuntu1","10.0.100-10.0.0-0ubuntu1","10.0.100-10.0.0-0ubuntu2","10.0.101-10.0.1-0ubuntu1","10.0.101-10.0.1-0ubuntu2","10.0.101-10.0.1-0ubuntu3","10.0.102-10.0.2-0ubuntu1","10.0.103-10.0.3-0ubuntu1","10.0.104-10.0.4-0ubuntu1","10.0.105-10.0.5-0ubuntu1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"aspnetcore-runtime-10.0","binary_version":"10.0.7-0ubuntu1~26.04.1"},{"binary_name":"aspnetcore-runtime-dbg-10.0","binary_version":"10.0.7-0ubuntu1~26.04.1"},{"binary_name":"aspnetcore-targeting-pack-10.0","binary_version":"10.0.7-0ubuntu1~26.04.1"},{"binary_name":"dotnet-apphost-pack-10.0","binary_version":"10.0.7-0ubuntu1~26.04.1"},{"binary_name":"dotnet-host-10.0","binary_version":"10.0.7-0ubuntu1~26.04.1"},{"binary_name":"dotnet-hostfxr-10.0","binary_version":"10.0.7-0ubuntu1~26.04.1"},{"binary_name":"dotnet-runtime-10.0","binary_version":"10.0.7-0ubuntu1~26.04.1"},{"binary_name":"dotnet-runtime-dbg-10.0","binary_version":"10.0.7-0ubuntu1~26.04.1"},{"binary_name":"dotnet-sdk-10.0","binary_version":"10.0.107-0ubuntu1~26.04.1"},{"binary_name":"dotnet-sdk-10.0-source-built-artifacts","binary_version":"10.0.107-0ubuntu1~26.04.1"},{"binary_name":"dotnet-sdk-aot-10.0","binary_version":"10.0.107-0ubuntu1~26.04.1"},{"binary_name":"dotnet-sdk-dbg-10.0","binary_version":"10.0.107-0ubuntu1~26.04.1"},{"binary_name":"dotnet-targeting-pack-10.0","binary_version":"10.0.7-0ubuntu1~26.04.1"},{"binary_name":"dotnet-templates-10.0","binary_version":"10.0.107-0ubuntu1~26.04.1"},{"binary_name":"dotnet10","binary_version":"10.0.107-10.0.7-0ubuntu1~26.04.1"}]},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2026-26171","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-32178","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-32203","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-33116","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]},{"id":"CVE-2026-40372","severity":[{"score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","type":"CVSS_V3"},{"score":"medium","type":"Ubuntu"}]}],"ecosystem":"Ubuntu:26.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8216-1.json"}}],"schema_version":"1.7.5"}