الوصف الكامل

### Summary The OTLP disk retry feature in `OpenTelemetry.Exporter.OpenTelemetryProtocol` silently fell back to `Path.GetTempPath()` when `OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk` was set but `OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH` was not configured. The exporter stored and loaded `*.blob` files under fixed, signal-named subdirectories (`traces`, `metrics`, `logs`) beneath that shared temporary root path. On multi-user systems where the temporary directory is accessible to other local accounts, this exposed three attack surfaces: - **Blob injection (integrity):** an attacker could write crafted `*.blob` files into the predictable path; the exporter picks them up on the next retry cycle and forwards them to the configured OTLP endpoint under the application's identity. - **Telemetry disclosure (confidentiality):** an attacker reads `*.blob` files written by the application between export failures, recovering encoded telemetry payloads (spans, metric data points, log records). - **Resource exhaustion (availability):** an attacker deposits numerous or oversized blob files, degrading retry-loop performance or consuming disk space. ### Details #### Preconditions 1. `OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY` is set to `disk`. 2. `OTEL_DOTNET_EXPERIMENTAL_OTLP_DISK_RETRY_DIRECTORY_PATH` is not set, causing the exporter to resolve the blob storage root using the `System.IO.Path.GetTempPath()` API. 3. A local attacker has read or write access to the process' temporary directory (e.g., `/tmp` on Linux, or `%TEMP%` on a multi-user Windows installation). #### Exploit path 1. A target application starts with `OTEL_DOTNET_EXPERIMENTAL_OTLP_RETRY=disk` and no explicit blob directory. The exporter resolves the storage root to `Path.GetTempPath()`, producing paths such as `%TEMP%\traces`, `%TEMP%\metrics`, and `%TEMP%\logs` (or `/tmp/traces` etc. on Linux). 2. **Injection scenario:** before or during the application's retry window, an attacker writes crafted `*.blob` files into one of those signal subdirectories. On the next retry interval (by default every 60 seconds), [`OtlpExporterPersistentStorageTransmissionHandler`](https://github.com/open-telemetry/opentelemetry-dotnet/blob/c724f4bd6fd88e9a599af1668bf7af9487155b62/src/OpenTelemetry.Exporter.OpenTelemetryProtocol/Implementation/Transmission/OtlpExporterPersistentStorageTransmissionHandler.cs) scans the directory, loads the attacker-supplied blobs, and forwards them to the configured OTLP endpoint using the application's identity and transport credentials. 3. **Disclosure scenario:** the attacker reads `*.blob` files that the application wrote after a transient export failure, recovering the full serialized telemetry payloads (spans, metric data points, or log records in Protobuf encoding). 5. **DoS scenario:** the attacker deposits a large number of oversized blob files in the temporary subdirectories, causing the retry loop to consume excess CPU/IO processing them, potentially exhausting available disk space. ### Mitigations If an immediate upgrade to a patched version is not possible: 1. Avoid enabling disk retry in shared environments. 2. Configure a dedicated directory with strict ACL/ownership and least privilege. 3. Ensure the directory is not shared across tenants/users. 4. Monitor for unexpected `*.blob` files or abnormal retry backlog growth. ### Resources - [#7106](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7106)

الإصدارات المتأثرة

>= 1.8.0, <= 1.15.2

نوع الثغرة

CWE-379 — CWE-379

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

المراجع

الوصف الكامل

### Summary When exporting telemetry to a back-end/collector over HTTP using the OpenTelemetry.Exporter.OneCollector exporter, if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. ### Details The [`HttpJsonPostTransport`](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/171c6b81f88831641b56b470e6f92862e605013d/src/OpenTelemetry.Exporter.OneCollector/Internal/Transports/HttpJsonPostTransport.cs) class reads the response body when a non-200 HTTP status code is received when exporting telemetry to aid debugging by operators so that the error response is included in the logs emitted by the exporter. An attacker who controls the configured endpoint, or who can intercept traffic to them (MiTM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an OutOfMemoryException that terminates the process. ### Impact If an application using the OneCollector exporter is configured to use a back-end/collector endpoint that is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response the application could have its memory exhausted and create a denial-of-service condition. ### Mitigation The application's configured back-end/collector endpoint needs to behave maliciously. If the collector/back-end is a well-behaved implementation response bodies should not be excessively large if a request error occurs. ### Workarounds Use network-level controls (firewall rules, mTLS, service mesh) to prevent Man-in-the-Middle (MitM) attacks on the configured back-end/collector endpoint. ### Remediation [#4117](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4117) updates the OneCollector exporter to limit the number of bytes read from the response body in an error condition to 4MiB. ### Resources - [#4117](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4117)

الإصدارات المتأثرة

<= 1.15.0

نوع الثغرة

CWE-770 — Resource Exhaustion

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

### Summary `OpenTelemetry.Resources.Azure` reads unbounded HTTP response bodies from the Azure VM remote instance metadata service endpoint into memory. This would allow an attacker-controlled endpoint or one acting as a Man-in-the-Middle (MitM) to cause excessive memory allocation and possible process termination (via Out of Memory (OOM)). ### Details The [`AzureVmMetaDataRequestor`](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/171c6b81f88831641b56b470e6f92862e605013d/src/OpenTelemetry.Resources.Azure/AzureVmMetaDataRequestor.cs) class makes HTTP requests to the relevant Azure VM instance metadata service (`http://169.254.169.254`) to obtain metadata about the running process and its infrastructure. An attacker who controls the configured endpoint, or who can intercept traffic to them (MiTM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an `OutOfMemoryException` that terminates the process. ### Impact Denial of Service (DoS). An attacker can destabilize or crash the application by forcing unbounded memory allocation through the Azure VM instance metadata HTTP response paths. ### Mitigating Factors The application's reachable Azure VM metadata endpoint needs to behave maliciously or be subject to MitM. In normal usage response bodies should not be excessively large. ### Patches Fixed in `OpenTelemetry.Resources.Azure` version `1.15.0-beta.2`. The fix (#4121) introduce changes that introduce limits to `HttpClient` requests so that the response body is streamed rather than buffered entirely in memory. Responses greater than 4 MiB are ignored. ### Workarounds - Disable the Azure VM resource detector. - Use network-level controls (firewall rules, mTLS, service mesh) to prevent Man-in-the-Middle (MitM) attacks on the Azure VM instance metadata endpoint. ### References - [#4121](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/pull/4121)

الإصدارات المتأثرة

<= 1.15.0-beta.1

نوع الثغرة

CWE-770 — Resource Exhaustion

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

### Summary The Zipkin exporter remote endpoint cache accepted unbounded key growth derived from span attributes. In high-cardinality scenarios, this could increase process memory usage over time and degrade availability. ### Details - Introduce a bounded, thread-safe LRU cache for remote endpoints. - Enforce fixed maximum size to prevent unbounded growth. ### Impact - A process using Zipkin export for client/producer spans could experience avoidable memory growth under sustained unique remote endpoint values. ### Resources [#7081](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7081)

الإصدارات المتأثرة

<= 1.15.2

نوع الثغرة

CWE-400 — DoS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

المراجع

الوصف الكامل

### Summary `OpenTelemetry.Sampler.AWS` reads unbounded HTTP response bodies from a configured AWS X-Ray remote sampling endpoint into memory. `OpenTelemetry.Resources.AWS` reads unbounded HTTP response bodies from a configured AWS EC2/ECS/EKS remote instance metadata service endpoint into memory. Both of these would allow an attacker-controlled endpoint or be acting as a Man-in-the-Middle (MitM) to cause excessive memory allocation and possible process termination (via Out of Memory (OOM)). ### Details #### OpenTelemetry.Sampler.AWS `AWSXRaySamplerClient.DoRequestAsync` called `HttpClient.SendAsync` followed by `ReadAsStringAsync()`, which materializes the entire HTTP response body into a single in-memory string with no size limit. The sampling endpoint is configurable via `AWSXRayRemoteSamplerBuilder.SetEndpoint` (default: `http://localhost:2000`). An attacker who controls the configured endpoint, or who can intercept traffic to it (MitM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an `OutOfMemoryException` that terminates the process. #### OpenTelemetry.Resources.AWS The [`AWSEC2Detector`](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/171c6b81f88831641b56b470e6f92862e605013d/src/OpenTelemetry.Resources.AWS/AWSEC2Detector.cs), [`AWSECSDetector`](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/171c6b81f88831641b56b470e6f92862e605013d/src/OpenTelemetry.Resources.AWS/AWSECSDetector.cs) and [`AWSEKSDetector`](https://github.com/open-telemetry/opentelemetry-dotnet-contrib/blob/171c6b81f88831641b56b470e6f92862e605013d/src/OpenTelemetry.Resources.AWS/AWSEKSDetector.cs) classes all make HTTP requests to the relevant AWS metadata service (`http://169.254.169.254`, `ECS_CONTAINER_METADATA_URI`/`ECS_CONTAINER_METADATA_URI_V4` or `https://kubernetes.default.svc` respectively) to obtain metadata about the running process and its infrastructure. An attacker who controls the configured endpoint(s), or who can intercept traffic to them (MiTM), can return an arbitrarily large response body. This causes unbounded heap allocation in the consuming process, leading to high transient memory pressure, garbage-collection stalls, or an `OutOfMemoryException` that terminates the process. ### Impact Denial of Service (DoS). An attacker can destabilize or crash the application by forcing unbounded memory allocation through the X-Ray sampling and/or EC2/ECS/EKS HTTP response paths. ### Mitigating Factors - The default X-Ray sampling endpoint is `http://localhost:2000`, which limits remote exposure in default configurations. - Risk increases materially when operators configure the sampler to point at a remote or untrusted endpoint. ### Patches Fixed in `OpenTelemetry.Sampler.AWS` version `0.1.0-alpha.8` and `OpenTelemetry.Resources.AWS` version `1.15.1`. The fixes (#4100, #4122) introduce changes that introduce limits to `HttpClient` requests so that the response body is streamed rather than buffered entirely in memory. ### Workarounds - Ensure the X-Ray sampling endpoint (`http://localhost:2000` by default) is not accessible to untrusted parties. - Use network-level controls (firewall rules, mTLS, service mesh) to prevent Man-in-the-Middle (MitM) attacks on the sampling endpoint and/or EC2/ECS/EKS connection. - If using a remote endpoint, place it behind a reverse proxy that enforces a response body size limit.

الإصدارات المتأثرة

< 0.1.0-alpha.8, < 1.15.1

نوع الثغرة

CWE-770 — Resource Exhaustion

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

### Summary The implementation details of the baggage, B3 and Jaeger processing code in the `OpenTelemetry.Api` and `OpenTelemetry.Extensions.Propagators` NuGet packages can allocate excessive memory when parsing which could create a potential denial of service (DoS) in the consuming application. ### Details #### Exceeding Limits [`BaggagePropagator.Inject<T>()`](https://github.com/open-telemetry/opentelemetry-dotnet/blob/fc1a2864d1665bda857089e11fe9247e3c75637a/src/OpenTelemetry.Api/Context/Propagation/BaggagePropagator.cs#L93-L112) does not enforce the length limit of `8192` characters if the injected baggage contains only one item. This change was introduced by #1048. #### Excessive allocation The following methods eagerly allocate intermediate arrays before applying size limits. - [`BaggagePropagator.Extract<T>()`](https://github.com/open-telemetry/opentelemetry-dotnet/blob/888d1bf2489fb7408d3c5e8758a5bbffa89a8fb2/src/OpenTelemetry.Api/Context/Propagation/BaggagePropagator.cs#L52-L55) - this change was introduced by #1048. - [`BaggagePropagator.Inject<T>()`](https://github.com/open-telemetry/opentelemetry-dotnet/blob/888d1bf2489fb7408d3c5e8758a5bbffa89a8fb2/src/OpenTelemetry.Api/Context/Propagation/BaggagePropagator.cs#L138-L157) - this change was introduced by #1048. - [`B3Propagator.Extract<T>()`](https://github.com/open-telemetry/opentelemetry-dotnet/blob/888d1bf2489fb7408d3c5e8758a5bbffa89a8fb2/src/OpenTelemetry.Extensions.Propagators/B3Propagator.cs#L203-L207) - this change was introduced by #533. - [`B3Propagator.Extract<T>()`](https://github.com/open-telemetry/opentelemetry-dotnet/blob/888d1bf2489fb7408d3c5e8758a5bbffa89a8fb2/src/OpenTelemetry.Api/Context/Propagation/B3Propagator.cs#L204-L214) - this change was introduced by #3244. - [`JaegerPropagator.Extract<T>()`](https://github.com/open-telemetry/opentelemetry-dotnet/blob/888d1bf2489fb7408d3c5e8758a5bbffa89a8fb2/src/OpenTelemetry.Extensions.Propagators/JaegerPropagator.cs#L150-L154) - this change was introduced by #3309. ### Impact Excessively large propagation headers, particularly in degenerate/malformed cases that consist or large numbers of delimiter characters, can allocate excessive amounts of memory for intermediate storage of parsed content relative to the size of the original input. ### Mitigation HTTP servers often set maximum limits on the length of HTTP request headers, such as [Internet Information Services (IIS)](https://learn.microsoft.com/iis/configuration/system.webserver/security/requestfiltering/requestlimits/headerlimits/) which sets a default limit of 16KB and [nginx](https://nginx.org/docs/http/ngx_http_core_module.html#large_client_header_buffers) which sets a default limit of 8KB. ### Workarounds Possible workarounds include: - Configuring appropriate HTTP request header limits. - Disabling baggage and/or trace propagation. ### Remediation [#7061](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7061) refactors the handling of baggage, B3 and Jaeger propagation headers to stop parsing eagerly when limits are exceeded and avoid allocating intermediate arrays.

الإصدارات المتأثرة

>= 0.5.0-beta.2, < 1.15.3, >= 1.3.1, < 1.15.3

نوع الثغرة

CWE-789 — CWE-789

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

المراجع

الوصف الكامل

### Summary When exporting telemetry over gRPC using the OpenTelemetry Protocol (OTLP), the exporter may parse a server-provided `grpc-status-details-bin` trailer during retry handling. Prior to the fix, a malformed trailer could encode an extremely large length-delimited protobuf field which was used directly for allocation, allowing excessive memory allocation and potential denial of service (DoS). ### Details #5980 introduced a retry path that parses `grpc-status-details-bin` to extract gRPC retry delay information for retryable responses. On that path: - `OtlpGrpcExportClient` captures `grpc-status-details-bin` from retryable status responses (`ResourceExhausted` / `Unavailable`). - `OtlpRetry` invokes `GrpcStatusDeserializer.TryGetGrpcRetryDelay` using this untrusted trailer value. - `GrpcStatusDeserializer.DecodeBytes` decoded a protobuf varint length and allocated `new byte[length]` without validating the bounds against the remaining payload size. A malicious or compromised collector (or a MitM in weakly-protected deployments) could return a crafted `grpc-status-details-bin` payload that forces oversized allocation and memory exhaustion in the instrumented process. ### Impact If an OTLP/gRPC endpoint is attacker-controlled (or traffic is intercepted), a crafted retryable response can trigger large allocations during trailer parsing, which may exhaust memory and cause process instability/crash (availability impact / DoS). ### Mitigation The application's configured back-end/collector endpoint needs to behave maliciously. If the collector/back-end is a well-behaved implementation response bodies should not be excessively large if a request error occurs. ### Workarounds None known. ### Remediation [#7064](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7064) updates `GrpcStatusDeserializer` to validate decoded length-delimited field sizes before allocation by ensuring the requested length is sane and does not exceed the remaining payload. This causes malformed or truncated `grpc-status-details-bin` payloads to fail safely instead of attempting unbounded allocation.

الإصدارات المتأثرة

>= 1.13.1, < 1.15.3

نوع الثغرة

CWE-789 — CWE-789

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

### Summary When exporting telemetry to a back-end/collector over gRPC or HTTP using OpenTelemetry Protocol format (OTLP), if the request results in a unsuccessful request (i.e. HTTP 4xx or 5xx), the response is read into memory with no upper-bound on the number of bytes consumed. This could cause memory exhaustion in the consuming application if the configured back-end/collector endpoint is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response. ### Details https://github.com/open-telemetry/opentelemetry-dotnet/pull/6564 introduced a change to read the response body when a non-200 HTTP status code is received when exporting telemetry to aid debugging by operators so that the error response is included in the logs emitted by the exporter for both [gRPC](https://github.com/open-telemetry/opentelemetry-dotnet/blob/640cf63628567b76b348b26988920dbc0b5c1662/src/OpenTelemetry.Exporter.OpenTelemetryProtocol/Implementation/ExportClient/OtlpGrpcExportClient.cs#L123-L134) and [HTTP/protobuf](https://github.com/open-telemetry/opentelemetry-dotnet/blob/640cf63628567b76b348b26988920dbc0b5c1662/src/OpenTelemetry.Exporter.OpenTelemetryProtocol/Implementation/ExportClient/OtlpHttpExportClient.cs#L36-L41). An unintended consequence of this change is that the response body is [fully read into memory when received with no upper-bound](https://github.com/open-telemetry/opentelemetry-dotnet/blob/640cf63628567b76b348b26988920dbc0b5c1662/src/OpenTelemetry.Exporter.OpenTelemetryProtocol/Implementation/ExportClient/OtlpExportClient.cs#L68-L89). This vulnerability was surfaced during the investigation of GHSA-w8rr-5gcm-pp58. ### Impact If an application using the OTLP exporter is configured to use a back-end/collector endpoint that is attacker-controlled (or a network attacker can MitM the connection) and an extremely large body is returned by the response the application could have its memory exhausted and create a denial-of-service condition. ### Mitigation The application's configured back-end/collector endpoint needs to behave maliciously. If the collector/back-end is a well-behaved implementation response bodies should not be excessively large if a request error occurs. ### Workarounds None known. ### Remediation [#7017](https://github.com/open-telemetry/opentelemetry-dotnet/pull/7017) updates the OTLP exporter for both gRPC and HTTP to: - Limit the number of bytes read from the response body in an error condition to 4MiB (see https://github.com/open-telemetry/opentelemetry-proto/pull/781); - Only attempt to read the response body if OpenTelemetry error logging is enabled.

الإصدارات المتأثرة

>= 1.13.1, < 1.15.2

نوع الثغرة

CWE-789 — CWE-789

CVSS Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

### Summary OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the `LeftSiblingID` / `RightSiblingID` chain causes `Storage.EnumerateEntries()` and `Storage.OpenStream()` to loop indefinitely, consuming the calling thread with no possibility of recovery via `try/catch`. ### Details CFB directory entries form a red-black tree linked by `LeftSiblingID` and `RightSiblingID` fields. OpenMcdf's `DirectoryTreeEnumerator` and `DirectoryTree.TryGetDirectoryEntry` traverse this tree without tracking visited node IDs, so a crafted cycle (e.g. entry A's `RightSiblingID` points to entry B, and entry B's `LeftSiblingID` points back to entry A) causes traversal to loop indefinitely. Two distinct code paths are affected: - **`Storage.EnumerateEntries()`** - `DirectoryTreeEnumerator.MoveNext()` never returns `false`; the same entry is yielded on every iteration and the caller's `foreach` never exits. Heap grows unboundedly as entries accumulate. - **`Storage.OpenStream()`** - `DirectoryTree.TryGetDirectoryEntry` loops indefinitely inside `DirectoryEntries.TryGetSibling` during the name lookup. ### PoC A crafted CFB file with a sibling cycle (see attached) triggers the issue with the following code: ```csharp using OpenMcdf; using var ms = new MemoryStream(File.ReadAllBytes("crafted.cfb")); using var root = RootStorage.Open(ms); // Never returns - EnumerateEntries loops indefinitely foreach (var entry in root.EnumerateEntries()) { Console.WriteLine(entry.Name); if (entry.Type == EntryType.Stream) root.OpenStream(entry.Name); // also hangs depending on the cycle structure } ``` ### Impact A denial of service affecting any application that opens untrusted CFB files with OpenMcdf. A small crafted input carrying a valid CFB magic header (`D0 CF 11 E0 A1 B1 1A E1`) is sufficient to pass initial format validation and reach the vulnerable traversal code. No exception is thrown, so `try/catch` cannot protect callers. The affected thread is unrecoverable without killing the process.

الإصدارات المتأثرة

< 3.1.3

نوع الثغرة

CWE-835 — CWE-835

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

## Executive Summary: A bug in `Microsoft.AspNetCore.DataProtection` 10.0.0-10.0.6 NuGet packages can give an attacker the opportunity to execute an Elevation of Privilege attack by forging authentication cookies, and also allows some protected payloads to be decrypted. If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue **legitimately-signed** tokens (session refresh, API key, password reset link, etc.) to themselves. Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated. This is comparable in capability to [MS10-070](https://learn.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-070), which exploited a similar padding-oracle condition in ASP.NET's legacy encryption infrastructure. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/395 ## CVSS Details - **Version:** 3.1 - **Severity:** Important - **Score:** 9.1 - **Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N - **Weakness:** CWE-347: Improper Verification of Cryptographic Signature ## Affected Platforms - **Platforms:** All - **Architectures:** All ## <a name="affected-packages"></a>Affected Packages The vulnerability affects some Microsoft .NET projects if they use any of affected package versions listed below ### <a name="ASP.NET Core 10"></a>ASP.NET Core 10 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.AspNetCore.DataProtection](https://www.nuget.org/packages/Microsoft.AspNetCore.DataProtection) | >=10.0.0, <=10.0.6 | 10.0.7 ## Advisory FAQ ### <a name="how-affected"></a>How do I know if I am affected? #### Primary affected configuration (10.0.6 on `net10.0`) You are **affected** if ALL of the following are true: - Your application referenced `Microsoft.AspNetCore.DataProtection` version 10.0.6 from NuGet (directly or transitively via, e.g., `Microsoft.AspNetCore.DataProtection.StackExchangeRedis`, `.EntityFrameworkCore`, `.AzureKeyVault`, `.AzureStorage`, `.Redis`), AND The affected 10.0.6 NuGet binary was actually loaded at runtime. This happens when either the application does NOT target the Microsoft.NET.Sdk.Web NOR has a Microsoft.AspNetCore.App framework reference either directly or transitively UNLESS you opt out of PrunePackageReference which is enabled by default in .NET 10. - The application ran on Linux, macOS, or any non-Windows operating system. #### Secondary affected configuration (10.0.x on `net462` / `netstandard2.0`) You are also affected if: - Your application or library referenced `Microsoft.AspNetCore.DataProtection` versions 10.0.0 through 10.0.6 from NuGet, AND - The build consumed the `net462` or `netstandard2.0` target framework asset of that package. This occurs when your application does not target `net10.0` and consumes the package (e.g. `net8.0`, `net9.0`, `net481` for mono, etc.). This combination is unusual because 10.0 NuGet packages are generally intended for use with .NET 10. This secondary population is much smaller and is expected to primarily consist of: - Desktop or server applications on .NET Framework that happen to use the ASP.NET Core DataProtection NuGet package. - Libraries that target `netstandard2.0` and reference the 10.0 DataProtection package. These configurations use the same managed authenticated encryptor code path on all operating systems (the CNG path is only available on the `net10.0` asset), so the Windows exception below does not apply to them. #### Not affected - Your application runs on **Windows** - Your application runs **framework-dependent** on `net10.0` and your installed ASP.NET Core shared framework version is **≥** your PackageReference version of `Microsoft.AspNetCore.DataProtection`. In this case the (correct) shared framework copy is loaded and the NuGet copy is not used. For example, shared framework 10.0.6 + PackageReference 10.0.6 is safe; shared framework 10.0.5 + PackageReference 10.0.6 is not. - Your application uses `Microsoft.AspNetCore.DataProtection` **8.0.x or 9.0.x** from NuGet, on any target framework, any operating system, any shared framework version. The defective code path was introduced during 10.0 development and was never backported to the 8.0 or 9.0 servicing branches. - Your application never referenced any affected version of the package. ### <a name="how-fix"></a>How do I fix the issue? 1. **Upgrade `Microsoft.AspNetCore.DataProtection` to 10.0.7 or later** and redeploy. This fixes the validation routine. Any forged payloads produced during the vulnerable window (which necessarily carried all-zero HMAC bytes) will be rejected by the corrected code. 2. **Rotate the DataProtection key ring** if your application was affected and served internet-exposed endpoints during the vulnerable window. This invalidates any legitimately-signed tokens the application may have issued to attackers during that period. Example using the built-in key manager: ```csharp // Run once, from an application with access to the same key ring. // Replace the cutoff with a timestamp just before you deployed 10.0.6. var services = new ServiceCollection() .AddDataProtection() // ... your existing repository / protection configuration ... .Services .BuildServiceProvider(); var keyManager = services.GetRequiredService<IKeyManager>(); keyManager.RevokeAllKeys( revocationDate: DateTimeOffset.UtcNow, // revoke all keys currently in the ring reason: "CVE-TBD: DataProtection 10.0.6 validation bypass"); ``` `RevokeAllKeys` marks every existing key as revoked; a new key is auto-generated on the next protect operation. All users will need to sign in again, all antiforgery tokens will be reissued, etc. If you can be more surgical — for instance, you know no key older than `T` was used by an affected process — use `RevokeKey(Guid keyId, string reason)` instead to revoke only the keys that were active during the vulnerable window. 3. **Audit application-level long-lived artifacts** that were created during the vulnerable window and carry identity or capability. These survive key rotation and must be rotated at the application layer: - API keys, refresh tokens, or access tokens stored in your database and issued via a protected endpoint. - Password reset links or email-confirmation tokens that were emitted during the window and have not yet expired. - Any other persistent capability that an authenticated request could have caused your application to issue. If your application does not issue such long-lived artifacts via authenticated endpoints, key rotation alone is sufficient. ### Recommended 4. **Audit plaintext stored inside protected payloads.** If your application stores long-lived secrets (database connection strings, third-party API keys, etc.) inside `IDataProtector.Protect` output, treat those secrets as potentially disclosed and rotate them at their respective sources. 5. **Review web server logs** for anomalous request volume against endpoints that accept protected payloads (auth cookies, antiforgery tokens, state parameters). The padding-oracle attack requires many requests per byte recovered — orders of magnitude more than normal traffic for that endpoint. Sustained high-volume traffic with varying cookie/query-parameter values against a single authenticated endpoint during the vulnerable window is a strong indicator. ## Other Information ### Reporting Security Issues If you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the [MSRC Researcher Portal](https://msrc.microsoft.com/report/vulnerability/new). Further information can be found in the MSRC [Report an Issue FAQ](https://www.microsoft.com/msrc/faqs-report-an-issue). Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. ### Support You can ask questions about this issue on GitHub in the .NET GitHub organization. The main ASP.NET Core repo is located at https://github.com/dotnet/aspnetcore. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. ### Disclaimer The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ### External Links [CVE-2026-40372]( https://www.cve.org/CVERecord?id=CVE-2026-40372) ### Revisions V1.0 (April 21, 2026): Advisory published.

الإصدارات المتأثرة

>= 10.0.0, <= 10.0.6

نوع الثغرة

CWE-347 — CWE-347

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

المراجع

الوصف الكامل

### Summary > [!IMPORTANT] > There is no plan to fix this issue as `OpenTelemetry.Exporter.Jaeger` was deprecated in 2023. It is for informational purposes only. `OpenTelemetry.Exporter.Jaeger` may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service. ### Details The Jaeger exporter conversion path can append tag/event data into pooled list structures. In affected versions, pooled allocation sizing may be influenced by large observed payloads and reused globally across later allocations, resulting in persistent oversized rentals and elevated memory pressure. In environments where telemetry attributes/events can be influenced by untrusted input and limits are increased from defaults, this may lead to process instability or denial of service. ### Impact Availability impact only. Confidentiality and integrity impacts are not expected. ### Workarounds / Mitigations * Prefer maintained exporters (for example OpenTelemetry Protocol format (OTLP)) instead of the Jaeger exporter.

الإصدارات المتأثرة

<= 1.6.0-rc.1

نوع الثغرة

CWE-400 — DoS

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

### Impact Hot Chocolate's `Utf8GraphQLParser` is a recursive descent parser with no recursion depth limit. A crafted GraphQL document with deeply nested selection sets, object values, list values, or list types can trigger a `StackOverflowException` on payloads as small as **40 KB**. Because `StackOverflowException` is **uncatchable in .NET** (since .NET 2.0), the entire worker process is terminated immediately. All in-flight HTTP requests, background `IHostedService` tasks, and open WebSocket subscriptions on that worker are dropped. The orchestrator (Kubernetes, IIS, etc.) must restart the process. This occurs **before any validation rules run** — `MaxExecutionDepth`, complexity analyzers, persisted query allow-lists, and custom `IDocumentValidatorRule` implementations cannot intercept the crash because `Utf8GraphQLParser.Parse` is invoked before validation. The existing `MaxAllowedFields=2048` limit does not help because the crashing payloads contain very few fields. **Severity:** Critical (9.1) — `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H` ### Patches - **v12 line:** Fixed in `12.22.7` - **v13 line:** Fixed in `13.9.16` - **v14 line:** Fixed in `14.3.1` - **v15 line:** Fixed in `15.1.14` The fix adds a `MaxAllowedRecursionDepth` option to `ParserOptions` with a safe default, and enforces it across all recursive parser methods (`ParseSelectionSet`, `ParseValueLiteral`, `ParseObject`, `ParseList`, `ParseTypeReference`, etc.). When the limit is exceeded, a catchable `SyntaxException` is thrown instead of overflowing the stack. ### Workarounds There is no application-level workaround. `StackOverflowException` cannot be caught in .NET. The only mitigation is to upgrade to a patched version. Operators can reduce (but not eliminate) risk by limiting HTTP request body size at the reverse proxy or load balancer layer, though the smallest crashing payload (40 KB) is well below most default body size limits and is highly compressible (~few hundred bytes via gzip). ### References - Fix for v15: https://github.com/ChilliCream/graphql-platform/pull/9528

الإصدارات المتأثرة

< 12.22.7, >= 13.0.0, < 13.9.16, >= 14.0.0, < 14.3.1, >= 15.0.0, < 15.1.14

نوع الثغرة

CWE-674 — CWE-674

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

المراجع

الوصف الكامل

### Summary Improper input validation in Microsoft QUIC allows an unauthorized attacker to elevate privileges over a network. ### Details Improper Input Validation Integer Underflow (Wrap or Wraparound) when decoding ACK frame. #### Patches - Fix underflow in ACK frame parsing - 1e6e999b ### Impact An attacker who successfully exploited this vulnerability could gain elevated privileges. ### MSRC CVE Info https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32179

الإصدارات المتأثرة

>= 2.5.0-ci.532574, < 2.5.7, >= 2.5.0-ci.532574, < 2.5.7, < 2.4.18, < 2.4.18

نوع الثغرة

CWE-191 — CWE-191

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

المراجع

الوصف الكامل

## Executive Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in System.Security.Cryptography.Xml. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in EncryptedXml class where an attacker can cause an infinite loop and perform a Denial of Service attack. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/12345 ## CVSS Details - **Version:** 3.1 - **Severity:** High - **Score:** 7.5 - **Vector:** 7.5 CVSS: 3.1AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C - **Weakness:** CWE-835 CWE-400 CWE-20: Loop with Unreachable Exit Condition ('Infinite Loop') Uncontrolled Resource Consumption Improper Input Validation ## Affected Platforms - **Platforms:** All - **Architectures:** All ## <a name="affected-packages"></a>Affected Packages The vulnerability affects any Microsoft .NET project if it uses any of affected packages versions listed below ### <a name=".NET 10"></a>.NET 10 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [System.Security.Cryptography.Xml](https://www.nuget.org/packages/System.Security.Cryptography.Xml) | >=10.0.0, <=10.0.5 | 10.0.6 ### <a name=".NET 9"></a>.NET 9 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [System.Security.Cryptography.Xml](https://www.nuget.org/packages/System.Security.Cryptography.Xml) | >=9.0.0, <=9.0.14 | 9.0.15 ### <a name=".NET 8"></a>.NET 8 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [System.Security.Cryptography.Xml](https://www.nuget.org/packages/System.Security.Cryptography.Xml) | >=8.0.0, <=8.0.2 | 8.0.3 ## Advisory FAQ ### <a name="how-affected"></a>How do I know if I am affected? If using a package listed in [affected packages](#affected-packages), you're exposed to the vulnerability. ### <a name="how-fix"></a>How do I fix the issue? To update the Using the System.Security.Cryptography.xml NuGet package, use one of the following methods: NuGet Package Manager UI in Visual Studio: - Open your project in Visual Studio. - Right-click on your project in Solution Explorer and select "Manage NuGet Packages..." or navigate to "Project > Manage NuGet Packages". - In the NuGet Package Manager window, select the "Updates" tab. This tab lists packages with available updates from your configured package sources. - Select the package(s) you wish to update. You can choose a specific version from the dropdown or update to the latest available version. - Click the "Update" button. Using the NuGet Package Manager Console in Visual Studio: - Open your project in Visual Studio. - Navigate to "Tools > NuGet Package Manager > Package Manager Console". - To update a specific package to its latest version, use the following Update-Package command: ```Update-Package -Id System.Security.Cryptography.xml``` Using the .NET CLI (Command Line Interface): - Open a terminal or command prompt in your project's directory. - To update a specific package to its latest version, use the following add package command: ```dotnet add package System.Security.Cryptography.xml``` Once you have updated the nuget package reference you must recompile and deploy your application. Additionally we recommend you update your runtime and/or SDKs, but it is not necessary to patch the vulnerability. ## Other Information ### Reporting Security Issues If you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the [MSRC Researcher Portal](https://msrc.microsoft.com/report/vulnerability/new). Further information can be found in the MSRC [Report an Issue FAQ](https://www.microsoft.com/msrc/faqs-report-an-issue). Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. ### Support You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. ### Disclaimer The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ### External Links [CVE-2026-33116]( https://www.cve.org/CVERecord?id=CVE-2026-33116) ### Acknowledgements Ludvig Pedersen ### Revisions V1.0 (April 14, 2026): Advisory published.

الإصدارات المتأثرة

>= 10.0.0, <= 10.0.5, >= 9.0.0, <= 9.0.14, >= 8.0.0, <= 8.0.2

نوع الثغرة

CWE-20 — Input Validation

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

## Executive Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in System.Net.Mail where specially crafted data allows an unauthorized attacker to perform a spoofing attack over the network. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/12345 ## CVSS Details - **Version:** 3.1 - **Severity:** High - **Score:** 7.5 - **Vector:** 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C - **Weakness:** CWE-138: Improper Neutralization of Special Elements ## Affected Platforms - **Platforms:** All - **Architectures:** All ## <a name="affected-packages"></a>Affected Packages The vulnerability affects any Microsoft .NET project if it uses any of affected package versions listed below ### <a name=".NET 8"></a>.NET 8 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.NetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm) | >= 8.0.0, <= 8.0.25 | 8.0.26 [Microsoft.NetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm64) | >= 8.0.0, <= 8.0.25 | 8.0.26 [Microsoft.NetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm) | >= 8.0.0, <= 8.0.25 | 8.0.26 [Microsoft.NetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm64) | >= 8.0.0, <= 8.0.25 | 8.0.26 [Microsoft.NetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-x64) | >= 8.0.0, <= 8.0.25 | 8.0.26 [Microsoft.NetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-x64) | >= 8.0.0, <= 8.0.25 | 8.0.26 [Microsoft.NetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-arm64) | >= 8.0.0, <= 8.0.25 | 8.0.26 [Microsoft.NetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-x64) | >= 8.0.0, <= 8.0.25 | 8.0.26 [Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm) | >= 8.0.0, <= 8.0.25 | 8.0.26 [Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64) | >= 8.0.0, <= 8.0.25 | 8.0.26 [Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64) | >= 8.0.0, <= 8.0.25 | 8.0.26 [Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86) | >= 8.0.0, <= 8.0.25 | 8.0.26 ### <a name=".NET 9"></a>.NET 9 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.NetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm) | >= 9.0.0, <= 9.0.14 | 9.0.15 [Microsoft.NetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm64) | >= 9.0.0, <= 9.0.14 | 9.0.15 [Microsoft.NetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm) | >= 9.0.0, <= 9.0.14 | 9.0.15 [Microsoft.NetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm64) | >= 9.0.0, <= 9.0.14 | 9.0.15 [Microsoft.NetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-x64) | >= 9.0.0, <= 9.0.14 | 9.0.15 [Microsoft.NetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-x64) | >= 9.0.0, <= 9.0.14 | 9.0.15 [Microsoft.NetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-arm64) | >= 9.0.0, <= 9.0.14 | 9.0.15 [Microsoft.NetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-x64) | >= 9.0.0, <= 9.0.14 | 9.0.15 [Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm) | >= 9.0.0, <= 9.0.14 | 9.0.15 [Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64) | >= 9.0.0, <= 9.0.14 | 9.0.15 [Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64) | >= 9.0.0, <= 9.0.14 | 9.0.15 [Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86) | >= 9.0.0, <= 9.0.14 | 9.0.15 ### <a name=".NET 10"></a>.NET 10 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [Microsoft.NetCore.App.Runtime.linux-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm) | >= 10.0.0, <= 10.0.5 | 10.0.6 [Microsoft.NetCore.App.Runtime.linux-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-arm64) | >= 10.0.0, <= 10.0.5 | 10.0.6 [Microsoft.NetCore.App.Runtime.linux-musl-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm) | >= 10.0.0, <= 10.0.5 | 10.0.6 [Microsoft.NetCore.App.Runtime.linux-musl-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-arm64) | >= 10.0.0, <= 10.0.5 | 10.0.6 [Microsoft.NetCore.App.Runtime.linux-musl-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-musl-x64) | >= 10.0.0, <= 10.0.5 | 10.0.6 [Microsoft.NetCore.App.Runtime.linux-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.linux-x64) | >= 10.0.0, <= 10.0.5 | 10.0.6 [Microsoft.NetCore.App.Runtime.osx-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-arm64) | >= 10.0.0, <= 10.0.5 | 10.0.6 [Microsoft.NetCore.App.Runtime.osx-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.osx-x64) | >= 10.0.0, <= 10.0.5 | 10.0.6 [Microsoft.NetCore.App.Runtime.win-arm](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm) | >= 10.0.0, <= 10.0.5 | 10.0.6 [Microsoft.NetCore.App.Runtime.win-arm64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-arm64) | >= 10.0.0, <= 10.0.5 | 10.0.6 [Microsoft.NetCore.App.Runtime.win-x64](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x64) | >= 10.0.0, <= 10.0.5 | 10.0.6 [Microsoft.NetCore.App.Runtime.win-x86](https://www.nuget.org/packages/Microsoft.NetCore.App.Runtime.win-x86) | >= 10.0.0, <= 10.0.5 | 10.0.6 ## Advisory FAQ ### <a name="how-affected"></a>How do I know if I am affected? If using a package listed in [affected packages](#affected-packages), you're exposed to the vulnerability. ### <a name="how-fix"></a>How do I fix the issue? 1. To fix the issue please install the latest version of .NET 8.0, NET 9.0, or .NET 10.0, as appropriate. If you have installed one or more .NET SDKs through Visual Studio, Visual Studio will prompt you to update Visual Studio, which will also update your .NET SDKs. 2. If your application references the vulnerable package, update the package reference to the patched version. You can list the versions you have installed by running the `dotnet --info` command. Once you have installed the updated runtime or SDK, restart your apps for the update to take effect. Additionally, if you've deployed [self-contained applications](https://docs.microsoft.com/dotnet/core/deploying/#self-contained-deployments-scd) targeting any of the impacted versions, these applications are also vulnerable and must be recompiled and redeployed. ## Other Information ### Reporting Security Issues If you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the [MSRC Researcher Portal](https://msrc.microsoft.com/report/vulnerability/new). Further information can be found in the MSRC [Report an Issue FAQ](https://www.microsoft.com/msrc/faqs-report-an-issue). Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. ### Support You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. ### Disclaimer The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ### External Links [CVE-2026-32178]( https://www.cve.org/CVERecord?id=CVE-2026-32178) ### Acknowledgements Ludvig Pedersen ### Revisions V1.0 (April 14, 2026): Advisory published.

الإصدارات المتأثرة

>= 10.0.0, <= 10.0.5, >= 10.0.0, <= 10.0.5, >= 10.0.0, <= 10.0.5, >= 10.0.0, <= 10.0.5, >= 10.0.0, <= 10.0.5, >= 10.0.0, <= 10.0.5, >= 10.0.0, <= 10.0.5, >= 10.0.0, <= 10.0.5, >= 10.0.0, <= 10.0.5, >= 10.0.0, <= 10.0.5, >= 10.0.0, <= 10.0.5, >= 10.0.0, <= 10.0.5, >= 9.0.0, <= 9.0.14, >= 9.0.0, <= 9.0.14, >= 9.0.0, <= 9.0.14, >= 9.0.0, <= 9.0.14, >= 9.0.0, <= 9.0.14, >= 9.0.0, <= 9.0.14, >= 9.0.0, <= 9.0.14, >= 9.0.0, <= 9.0.14, >= 9.0.0, <= 9.0.14, >= 9.0.0, <= 9.0.14, >= 9.0.0, <= 9.0.14, >= 9.0.0, <= 9.0.14, >= 8.0.0, <= 8.0.25, >= 8.0.0, <= 8.0.25, >= 8.0.0, <= 8.0.25, >= 8.0.0, <= 8.0.25, >= 8.0.0, <= 8.0.25, >= 8.0.0, <= 8.0.25, >= 8.0.0, <= 8.0.25, >= 8.0.0, <= 8.0.25, >= 8.0.0, <= 8.0.25, >= 8.0.0, <= 8.0.25, >= 8.0.0, <= 8.0.25, >= 8.0.0, <= 8.0.25

نوع الثغرة

CWE-138 — CWE-138

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

المراجع

الوصف الكامل

## Executive Summary: Microsoft is releasing this security advisory to provide information about a vulnerability in System.Security.Cryptography.Xml. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability. A vulnerability exists in EncryptedXml class where uncontrolled resource consumption can give an attacker to the ability to perform a Denial of Service attack. ## Announcement Announcement for this issue can be found at https://github.com/dotnet/announcements/issues/xxxxx ## CVSS Details - **Version:** 3.1 - **Severity:** High - **Score:** 7.5 - **Vector:** 7.5: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H E:U/RL:O/RC:C - **Weakness:** CWE-400 CWE-611: Uncontrolled Resource Consumption Improper Restriction of XML External Entity Reference ## Affected Platforms - **Platforms:** All - **Architectures:** All ## <a name="affected-packages"></a>Affected Packages The vulnerability affects any Microsoft .NET project if it uses any of affected packages versions listed below ### <a name=".NET 10"></a>.NET 10 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [System.Security.Cryptography.xml](https://www.nuget.org/packages/System.Security.Cryptography.Xml) | >=10.0.0, <=10.0.5; | 10.0.6 ### <a name=".NET 9"></a>.NET 9 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [System.Security.Cryptography.xml](https://www.nuget.org/packages/System.Security.Cryptography.Xml) | >=9.0.0, <=9.0.14; | 9.0.15 ### <a name=".NET 8"></a>.NET 8 Package name | Affected version | Patched version ------------ | ---------------- | ------------------------- [System.Security.Cryptography.xml](https://www.nuget.org/packages/System.Security.Cryptography.Xml) | >=8.0.0, <=8.0.2; | 8.0.3 ## Advisory FAQ ### <a name="how-affected"></a>How do I know if I am affected? If using an affected package listed in [affected packages](#affected-packages), you're exposed to the vulnerability. ### <a name="how-fix"></a>How do I fix the issue? To update the Using the System.Security.Cryptography.Xml NuGet package, use one of the following methods: NuGet Package Manager UI in Visual Studio: - Open your project in Visual Studio. - Right-click on your project in Solution Explorer and select "Manage NuGet Packages..." or navigate to "Project > Manage NuGet Packages". - In the NuGet Package Manager window, select the "Updates" tab. This tab lists packages with available updates from your configured package sources. - Select the package(s) you wish to update. You can choose a specific version from the dropdown or update to the latest available version. - Click the "Update" button. Using the NuGet Package Manager Console in Visual Studio: - Open your project in Visual Studio. - Navigate to "Tools > NuGet Package Manager > Package Manager Console". - To update a specific package to its latest version, use the following Update-Package command: ```Update-Package -Id System.Security.Cryptography.xml``` Using the .NET CLI (Command Line Interface): - Open a terminal or command prompt in your project's directory. - To update a specific package to its latest version, use the following add package command: ```dotnet add package System.Security.Cryptography.Xml``` Once you have updated the nuget package reference you must recompile and deploy your application. Additionally we recommend you update your runtime and/or SDKs, but it is not necessary to patch the vulnerability. ## Other Information ### Reporting Security Issues If you have found a potential security issue in a supported version of .NET, please report it to the Microsoft Security Response Center (MSRC) via the [MSRC Researcher Portal](https://msrc.microsoft.com/report/vulnerability/new). Further information can be found in the MSRC [Report an Issue FAQ](https://www.microsoft.com/msrc/faqs-report-an-issue). Security reports made through MSRC may qualify for the Microsoft .NET Bounty. Details of the Microsoft .NET Bounty Program including terms and conditions are at https://aka.ms/corebounty. ### Support You can ask questions about this issue on GitHub in the .NET GitHub organization. The main repos are located at https://github.com/dotnet/runtime. The Announcements repo (https://github.com/dotnet/Announcements) will contain this bulletin as an issue and will include a link to a discussion issue. You can ask questions in the linked discussion issue. ### Disclaimer The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. ### External Links [CVE-2026-26171](https://www.cve.org/CVERecord?id=CVE-2026-26171) ### Acknowledgements Ludvig Pedersen ### Revisions V1.0 (April 14, 2026): Advisory published.

الإصدارات المتأثرة

>= 10.0.0, <= 10.0.5, >= 9.0.0, <= 9.0.14, >= 8.0.0, <= 8.0.2

نوع الثغرة

CWE-400 — DoS

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a heap buffer overflow occurs in the MVG decoder that could result in an out of bounds write when processing a crafted image. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-122 — CWE-122

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, Magick frees the memory of the XML tree via the `DestroyXMLTree()` function; however, this process is executed recursively with no depth limit imposed. When Magick processes an XML file with deeply nested structures, it will exhaust the stack memory, resulting in a Denial of Service (DoS) attack. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-674 — CWE-674

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, an off by one error in the MSL decoder could result in a crash when a malicous MSL file is read. This issue has been fixed in version 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-193 — CWE-193

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below 7.1.2-19 and 6.9.13-44 contain a heap use-after-free vulnerability that can cause a crash when reading and printing values from an invalid XMP profile. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-416 — Use After Free

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. Versions below both 7.1.2-19 and 6.9.13-44, contain a heap out-of-bounds write in the JP2 encoder with when a user specifies an invalid sampling index. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-122 — CWE-122

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, the JXL encoder has an heap write overflow when a user specifies that the image should be encoded as 16 bit floats. This issue has been fixed in version 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-122 — CWE-122

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-19, a crafted image could result in an out of bounds heap write when writing a yaml or json output, resulting in a crash. This issue has been fixed in version 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-122 — CWE-122

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the -sample operation has an out of bounds read when an specific offset is set through the `sample:offset` define that could lead to an out of bounds read. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-125 — Out-of-bounds Read

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, a stack overflow vulnerability in ImageMagick's FX expression parser allows an attacker to crash the process by providing a deeply nested expression. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-674 — CWE-674

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below 7.1.2-189 and 6.9.13-44, when `Magick` parses an XML file it is possible that a single zero byte is written out of the bounds. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-122 — CWE-122

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, an integer overflow in the despeckle operation causes a heap buffer overflow on 32-bit builds that will result in an out of bounds write. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-190 — Integer Overflow

CVSS Vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

ImageMagick is free and open-source software used for editing and manipulating digital images. In versions below both 7.1.2-19 and 6.9.13-44, the viff encoder contains an integer truncation/wraparound issue on 32-bit builds that could trigger an out of bounds heap write, potentially causing a crash. This issue has been fixed in versions 6.9.13-44 and 7.1.2-19.

الإصدارات المتأثرة

< 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0, < 14.12.0

نوع الثغرة

CWE-190 — Integer Overflow

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

المراجع

الوصف الكامل

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. All new installations of DNN 10.x.x - 10.2.1 have the same Host GUID. This does not affect upgrades from 9.x.x. Version 10.2.2 patches the issue.

الإصدارات المتأثرة

>= 10.0.0, < 10.2.2

نوع الثغرة

CWE-330 — CWE-330

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

المراجع

الوصف الكامل

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 6.0.0 and prior to version 10.2.2, in the friends feature, a user could craft a request that would force the acceptance of a friend request on another user. Version 10.2.2 patches the issue.

الإصدارات المتأثرة

>= 6.0.0, < 10.2.2

نوع الثغرة

CWE-285 — CWE-285

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

المراجع

الوصف الكامل

DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to version 10.2.2, a user could upload a specially crafted SVG file that could include scripts that can target both authenticated and unauthenticated DNN users. The impact is increased if the scripts are run by a power user. Version 10.2.2 patches the issue.

الإصدارات المتأثرة

< 10.2.2

نوع الثغرة

CWE-87 — CWE-87

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H

المراجع