Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 536
Alerts This Week
Warning Icon 1 536

Ubuntu 26.04 LTS Dotnet Critical Denial of Service Threat USN-8420-1

ubuntu
Calendar Grey June 11, 2026
Scroller Ubuntu
Security fixes for .NET on multiple Ubuntu versions include mitigating file tampering and denial of service threats.
Several security issues were fixed in .NET.

Summary

Several security issues were fixed in .NET.

Software Description:

- dotnet10: .NET CLI tools and runtime

- dotnet8: .NET CLI tools and runtime

- dotnet9: .NET CLI tools and runtime

Details:

It was discovered that .NET did not properly handle link resolution before

file access. A local attacker could use this issue to perform unauthorized

file tampering and write arbitrary files outside of the intended extraction

directory. (CVE-2026-45491)

It was discovered that .NET did not properly handle deeply-nested

MessagePack arrays. An attacker could use this to cause .NET to consume

excessive resources, resulting in a denial of service. (CVE-2026-45591)

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 26.04 LTS
  aspnetcore-runtime-10.0         10.0.9-0ubuntu1~26.04.1
  dotnet-host-10.0                10.0.9-0ubuntu1~26.04.1
  dotnet-hostfxr-10.0             10.0.9-0ubuntu1~26.04.1
  dotnet-runtime-10.0             10.0.9-0ubuntu1~26.04.1
  dotnet-sdk-10.0                 10.0.109-0ubuntu1~26.04.1
  dotnet-sdk-aot-10.0             10.0.109-0ubuntu1~26.04.1
  dotnet-sdk-dbg-10.0             10.0.109-0ubuntu1~26.04.1
  dotnet10                        10.0.109-10.0.9-0ubuntu1~26.04.1

Ubuntu 25.10
  aspnetcore-runtime-10.0         10.0.9-0ubuntu1~25.10.1
  aspnetcore-runtime-8.0          8.0.28-0ubuntu1~25.10.1
  aspnetcore-runtime-9.0          9.0.17-0ubuntu1~25.10.1
  dotnet-host-10.0                10.0.9-0ubuntu1~25.10.1
  dotnet-host-8.0                 8.0.28-0ubuntu1~25.10.1
  dotnet-host-9.0                 9.0.17-0ubuntu1~25.10.1
  dotnet-hostfxr-10.0             10.0.9-0ubuntu1~25.10.1
  dotnet-hostfxr-8.0              8.0.28-0ubuntu1~25.10.1
  dotnet-hostfxr-9.0              9.0.17-0ubuntu1~25.10.1
  dotnet-runtime-10.0             10.0.9-0ubuntu1~25.10.1
  dotnet-runtime-8.0              8.0.28-0ubuntu1~25.10.1
  dotnet-runtime-9.0              9.0.17-0ubuntu1~25.10.1
  dotnet-sdk-10.0                 10.0.109-0ubuntu1~25.10.1
  dotnet-sdk-8.0                  8.0.128-0ubuntu1~25.10.1
  dotnet-sdk-9.0                  9.0.118-0ubuntu1~25.10.1
  dotnet-sdk-aot-10.0             10.0.109-0ubuntu1~25.10.1
  dotnet-sdk-aot-9.0              9.0.118-0ubuntu1~25.10.1
  dotnet-sdk-dbg-10.0             10.0.109-0ubuntu1~25.10.1
  dotnet-sdk-dbg-9.0              9.0.118-0ubuntu1~25.10.1
  dotnet10                        10.0.109-10.0.9-0ubuntu1~25.10.1
  dotnet8                         8.0.128-8.0.28-0ubuntu1~25.10.1
  dotnet9                         9.0.118-9.0.17-0ubuntu1~25.10.1

Ubuntu 24.04 LTS
  aspnetcore-runtime-10.0         10.0.9-0ubuntu1~24.04.1
  aspnetcore-runtime-8.0          8.0.28-0ubuntu1~24.04.1
  dotnet-host-10.0                10.0.9-0ubuntu1~24.04.1
  dotnet-host-8.0                 8.0.28-0ubuntu1~24.04.1
  dotnet-hostfxr-10.0             10.0.9-0ubuntu1~24.04.1
  dotnet-hostfxr-8.0              8.0.28-0ubuntu1~24.04.1
  dotnet-runtime-10.0             10.0.9-0ubuntu1~24.04.1
  dotnet-runtime-8.0              8.0.28-0ubuntu1~24.04.1
  dotnet-sdk-10.0                 10.0.109-0ubuntu1~24.04.1
  dotnet-sdk-8.0                  8.0.128-0ubuntu1~24.04.1
  dotnet-sdk-aot-10.0             10.0.109-0ubuntu1~24.04.1
  dotnet-sdk-dbg-10.0             10.0.109-0ubuntu1~24.04.1
  dotnet10                        10.0.109-10.0.9-0ubuntu1~24.04.1
  dotnet8                         8.0.128-8.0.28-0ubuntu1~24.04.1

Ubuntu 22.04 LTS
  aspnetcore-runtime-8.0          8.0.28-0ubuntu1~22.04.1
  dotnet-host-8.0                 8.0.28-0ubuntu1~22.04.1
  dotnet-hostfxr-8.0              8.0.28-0ubuntu1~22.04.1
  dotnet-runtime-8.0              8.0.28-0ubuntu1~22.04.1
  dotnet-sdk-8.0                  8.0.128-0ubuntu1~22.04.1
  dotnet8                         8.0.128-8.0.28-0ubuntu1~22.04.1

In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-8420-1

CVE-2026-45491, CVE-2026-45591

Severity
moderate
Lowest
Low
Medium
High
Critical

Ubuntu Security Notice USN-8420-1

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.