{
  "threat_severity" : "Important",
  "public_date" : "2026-04-14T18:39:18Z",
  "bugzilla" : {
    "description" : "dotnet: .NET: Security Bypass and Denial of Service Vulnerability",
    "id" : "2457739",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2457739"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-776",
  "details" : [ "Uncontrolled resource consumption in .NET allows an unauthorized attacker to deny service over a network.", "A flaw was found in .NET. A remote attacker could exploit a vulnerability related to unsafe transforms in EncryptedXml. This could lead to a Denial of Service (DoS), making the service unavailable, and a bypass of security features." ],
  "statement" : "This is an Important impact vulnerability affecting .NET applications that utilize `EncryptedXml` for data encryption. An attacker could exploit unsafe transforms to achieve a denial of service or bypass security features. This impacts Red Hat Enterprise Linux and Fedora systems running affected .NET versions.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8467",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "dotnet10.0-0:10.0.106-1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8470",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "dotnet8.0-0:8.0.126-1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8472",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "dotnet9.0-0:9.0.116-1.el10_1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13280",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "dotnet9.0-0:9.0.116-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10.0 Extended Update Support",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13281",
    "cpe" : "cpe:/o:redhat:enterprise_linux_eus:10.0",
    "package" : "dotnet8.0-0:8.0.126-1.el10_0"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8468",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet8.0-0:8.0.126-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8473",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet10.0-0:10.0.106-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8475",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "dotnet9.0-0:9.0.116-1.el8_10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8469",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet8.0-0:8.0.126-1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8471",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet10.0-0:10.0.106-1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2026-04-16T00:00:00Z",
    "advisory" : "RHSA-2026:8474",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "dotnet9.0-0:9.0.116-1.el9_7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2026-05-05T00:00:00Z",
    "advisory" : "RHSA-2026:13693",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4",
    "package" : "dotnet8.0-0:8.0.126-1.el9_4"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13282",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "dotnet9.0-0:9.0.116-1.el9_6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.6 Extended Update Support",
    "release_date" : "2026-05-04T00:00:00Z",
    "advisory" : "RHSA-2026:13283",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.6",
    "package" : "dotnet8.0-0:8.0.126-1.el9_6"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:9077",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet10-0-main-10.0.106-1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-20T00:00:00Z",
    "advisory" : "RHSA-2026:9080",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet8-0-main-8.0.126-1.hum1"
  }, {
    "product_name" : "Red Hat Hardened Images",
    "release_date" : "2026-04-21T00:00:00Z",
    "advisory" : "RHSA-2026:9205",
    "cpe" : "cpe:/a:redhat:hummingbird:1",
    "package" : "dotnet9-0-main-9.0.116-1.hum1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-26171\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-26171" ],
  "name" : "CVE-2026-26171",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}