Ubuntu Security Notices
USN-8420-1

USN-8420-1: .NET vulnerabilities

Publication date

11 June 2026

Overview

Several security issues were fixed in .NET.

Releases

26.04 LTS 25.10 24.04 LTS 22.04 LTS

Packages

dotnet10 - .NET CLI tools and runtime
dotnet8 - .NET CLI tools and runtime
dotnet9 - .NET CLI tools and runtime

Details

It was discovered that .NET did not properly handle link resolution before
file access. A local attacker could use this issue to perform unauthorized
file tampering and write arbitrary files outside of the intended extraction
directory. (CVE-2026-45491)

It was discovered that .NET did not properly handle deeply-nested
MessagePack arrays. An attacker could use this to cause .NET to consume
excessive resources, resulting in a denial of service. (CVE-2026-45591)

Update instructions

In general, a standard system update will make all the necessary changes.

Learn more about how to get the fixes.

The problem can be corrected by updating your system to the following package versions:

Ubuntu Release	Package Version
26.04 LTS resolute	aspnetcore-runtime-10.0 – 10.0.9-0ubuntu1~26.04.1
	dotnet-host-10.0 – 10.0.9-0ubuntu1~26.04.1
	dotnet-hostfxr-10.0 – 10.0.9-0ubuntu1~26.04.1
	dotnet-runtime-10.0 – 10.0.9-0ubuntu1~26.04.1
	dotnet-sdk-10.0 – 10.0.109-0ubuntu1~26.04.1
	dotnet-sdk-aot-10.0 – 10.0.109-0ubuntu1~26.04.1
	dotnet-sdk-dbg-10.0 – 10.0.109-0ubuntu1~26.04.1
	dotnet10 – 10.0.109-10.0.9-0ubuntu1~26.04.1
25.10 questing	aspnetcore-runtime-10.0 – 10.0.9-0ubuntu1~25.10.1
	aspnetcore-runtime-8.0 – 8.0.28-0ubuntu1~25.10.1
	aspnetcore-runtime-9.0 – 9.0.17-0ubuntu1~25.10.1
	dotnet-host-10.0 – 10.0.9-0ubuntu1~25.10.1
	dotnet-host-8.0 – 8.0.28-0ubuntu1~25.10.1
	dotnet-host-9.0 – 9.0.17-0ubuntu1~25.10.1
	dotnet-hostfxr-10.0 – 10.0.9-0ubuntu1~25.10.1
	dotnet-hostfxr-8.0 – 8.0.28-0ubuntu1~25.10.1
	dotnet-hostfxr-9.0 – 9.0.17-0ubuntu1~25.10.1
	dotnet-runtime-10.0 – 10.0.9-0ubuntu1~25.10.1
	dotnet-runtime-8.0 – 8.0.28-0ubuntu1~25.10.1
	dotnet-runtime-9.0 – 9.0.17-0ubuntu1~25.10.1
	dotnet-sdk-10.0 – 10.0.109-0ubuntu1~25.10.1
	dotnet-sdk-8.0 – 8.0.128-0ubuntu1~25.10.1
	dotnet-sdk-9.0 – 9.0.118-0ubuntu1~25.10.1
	dotnet-sdk-aot-10.0 – 10.0.109-0ubuntu1~25.10.1
	dotnet-sdk-aot-9.0 – 9.0.118-0ubuntu1~25.10.1
	dotnet-sdk-dbg-10.0 – 10.0.109-0ubuntu1~25.10.1
	dotnet-sdk-dbg-9.0 – 9.0.118-0ubuntu1~25.10.1
	dotnet10 – 10.0.109-10.0.9-0ubuntu1~25.10.1
	dotnet8 – 8.0.128-8.0.28-0ubuntu1~25.10.1
	dotnet9 – 9.0.118-9.0.17-0ubuntu1~25.10.1
24.04 LTS noble	aspnetcore-runtime-10.0 – 10.0.9-0ubuntu1~24.04.1
	aspnetcore-runtime-8.0 – 8.0.28-0ubuntu1~24.04.1
	dotnet-host-10.0 – 10.0.9-0ubuntu1~24.04.1
	dotnet-host-8.0 – 8.0.28-0ubuntu1~24.04.1
	dotnet-hostfxr-10.0 – 10.0.9-0ubuntu1~24.04.1
	dotnet-hostfxr-8.0 – 8.0.28-0ubuntu1~24.04.1
	dotnet-runtime-10.0 – 10.0.9-0ubuntu1~24.04.1
	dotnet-runtime-8.0 – 8.0.28-0ubuntu1~24.04.1
	dotnet-sdk-10.0 – 10.0.109-0ubuntu1~24.04.1
	dotnet-sdk-8.0 – 8.0.128-0ubuntu1~24.04.1
	dotnet-sdk-aot-10.0 – 10.0.109-0ubuntu1~24.04.1
	dotnet-sdk-dbg-10.0 – 10.0.109-0ubuntu1~24.04.1
	dotnet10 – 10.0.109-10.0.9-0ubuntu1~24.04.1
	dotnet8 – 8.0.128-8.0.28-0ubuntu1~24.04.1
22.04 LTS jammy	aspnetcore-runtime-8.0 – 8.0.28-0ubuntu1~22.04.1
	dotnet-host-8.0 – 8.0.28-0ubuntu1~22.04.1
	dotnet-hostfxr-8.0 – 8.0.28-0ubuntu1~22.04.1
	dotnet-runtime-8.0 – 8.0.28-0ubuntu1~22.04.1
	dotnet-sdk-8.0 – 8.0.128-0ubuntu1~22.04.1
	dotnet8 – 8.0.128-8.0.28-0ubuntu1~22.04.1

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Get Ubuntu Pro

USN-8420-1: .NET vulnerabilities

Packages

Details

Update instructions

Reduce your security exposure

References