USN-8025-1
- Source
- https://ubuntu.com/security/notices/USN-8025-1
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8025-1.json
- JSON Data
- https://api.osv.dev/v1/vulns/USN-8025-1
- Upstream
- Related
- Published
- 2026-02-11T14:25:40Z
- Modified
- 2026-02-12T14:59:03.008606Z
- Summary
- dotnet8, dotnet9, dotnet10 vulnerability
- Details
-
Kevin Jones discovered that the System.Security.Cryptography.Cose component in .NET did not properly handle certain missing special elements in input data. An attacker could possibly use this issue to bypass security checks and gain unauthorized access or perform data manipulation.
- References
Affected packages
Ubuntu:22.04:LTS / dotnet8
Package
- Name
- dotnet8
- Purl
- pkg:deb/ubuntu/dotnet8@8.0.124-8.0.24-0ubuntu1~22.04.1?arch=source&distro=jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.0.124-8.0.24-0ubuntu1~22.04.1
Affected versions
8.*
8.0.102-8.0.2-0ubuntu1~22.04.1
8.0.103-8.0.3-0ubuntu1~22.04.1
8.0.103-8.0.3-0ubuntu1~22.04.2
8.0.105-8.0.5-0ubuntu1~22.04.1
8.0.107-8.0.7-0ubuntu1~22.04.1
8.0.108-8.0.8-0ubuntu1~22.04.1
8.0.110-8.0.10-0ubuntu1~22.04.1
8.0.111-8.0.11-0ubuntu1~22.04.1
8.0.112-8.0.12-0ubuntu1~22.04.1
8.0.114-8.0.14-0ubuntu1~22.04.1
8.0.115-8.0.15-0ubuntu1~22.04.1
8.0.116-8.0.16-0ubuntu1~22.04.1
8.0.117-8.0.17-0ubuntu1~22.04.1
8.0.118-8.0.18-0ubuntu1~22.04.1
8.0.119-8.0.19-0ubuntu1~22.04.1
8.0.120-8.0.20-0ubuntu1~22.04.1
8.0.121-8.0.21-0ubuntu1~22.04.1
8.0.122-8.0.22-0ubuntu1~22.04.1
8.0.123-8.0.23-0ubuntu1~22.04.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "aspnetcore-runtime-8.0",
"binary_version": "8.0.24-0ubuntu1~22.04.1"
},
{
"binary_name": "aspnetcore-runtime-dbg-8.0",
"binary_version": "8.0.24-0ubuntu1~22.04.1"
},
{
"binary_name": "aspnetcore-targeting-pack-8.0",
"binary_version": "8.0.24-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-apphost-pack-8.0",
"binary_version": "8.0.24-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-host-8.0",
"binary_version": "8.0.24-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-hostfxr-8.0",
"binary_version": "8.0.24-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-runtime-8.0",
"binary_version": "8.0.24-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-runtime-dbg-8.0",
"binary_version": "8.0.24-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-sdk-8.0",
"binary_version": "8.0.124-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-sdk-8.0-source-built-artifacts",
"binary_version": "8.0.124-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-sdk-dbg-8.0",
"binary_version": "8.0.124-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-targeting-pack-8.0",
"binary_version": "8.0.24-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet-templates-8.0",
"binary_version": "8.0.124-0ubuntu1~22.04.1"
},
{
"binary_name": "dotnet8",
"binary_version": "8.0.124-8.0.24-0ubuntu1~22.04.1"
},
{
"binary_name": "netstandard-targeting-pack-2.1-8.0",
"binary_version": "8.0.124-0ubuntu1~22.04.1"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-21218",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:22.04:LTS"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8025-1.json"
Ubuntu:25.10 / dotnet10
Package
- Name
- dotnet10
- Purl
- pkg:deb/ubuntu/dotnet10@10.0.103-10.0.3-0ubuntu1~25.10.1?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed10.0.103-10.0.3-0ubuntu1~25.10.1
Affected versions
10.*
10.0.100-10.0.0~rc1-0ubuntu1
10.0.100-10.0.0~rc2-0ubuntu1~25.10.2
10.0.100-10.0.0-0ubuntu1~25.10.1
10.0.101-10.0.1-0ubuntu1~25.10.2
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "aspnetcore-runtime-10.0",
"binary_version": "10.0.3-0ubuntu1~25.10.1"
},
{
"binary_name": "aspnetcore-runtime-dbg-10.0",
"binary_version": "10.0.3-0ubuntu1~25.10.1"
},
{
"binary_name": "aspnetcore-targeting-pack-10.0",
"binary_version": "10.0.3-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-apphost-pack-10.0",
"binary_version": "10.0.3-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-host-10.0",
"binary_version": "10.0.3-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-hostfxr-10.0",
"binary_version": "10.0.3-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-runtime-10.0",
"binary_version": "10.0.3-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-runtime-dbg-10.0",
"binary_version": "10.0.3-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-sdk-10.0",
"binary_version": "10.0.103-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-sdk-10.0-source-built-artifacts",
"binary_version": "10.0.103-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-sdk-aot-10.0",
"binary_version": "10.0.103-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-sdk-dbg-10.0",
"binary_version": "10.0.103-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-targeting-pack-10.0",
"binary_version": "10.0.3-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-templates-10.0",
"binary_version": "10.0.103-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet10",
"binary_version": "10.0.103-10.0.3-0ubuntu1~25.10.1"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-21218",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:25.10"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8025-1.json"
Ubuntu:25.10 / dotnet8
Package
- Name
- dotnet8
- Purl
- pkg:deb/ubuntu/dotnet8@8.0.124-8.0.24-0ubuntu1~25.10.1?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed8.0.124-8.0.24-0ubuntu1~25.10.1
Affected versions
8.*
8.0.115-8.0.15-0ubuntu1
8.0.116-8.0.16-0ubuntu1
8.0.117-8.0.17-0ubuntu1
8.0.118-8.0.18-0ubuntu1
8.0.119-8.0.19-0ubuntu1
8.0.120-8.0.20-0ubuntu1
8.0.121-8.0.21-0ubuntu1~25.10.1
8.0.122-8.0.22-0ubuntu1~25.10.1
8.0.123-8.0.23-0ubuntu1~25.10.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "aspnetcore-runtime-8.0",
"binary_version": "8.0.24-0ubuntu1~25.10.1"
},
{
"binary_name": "aspnetcore-runtime-dbg-8.0",
"binary_version": "8.0.24-0ubuntu1~25.10.1"
},
{
"binary_name": "aspnetcore-targeting-pack-8.0",
"binary_version": "8.0.24-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-apphost-pack-8.0",
"binary_version": "8.0.24-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-host-8.0",
"binary_version": "8.0.24-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-hostfxr-8.0",
"binary_version": "8.0.24-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-runtime-8.0",
"binary_version": "8.0.24-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-runtime-dbg-8.0",
"binary_version": "8.0.24-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-sdk-8.0",
"binary_version": "8.0.124-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-sdk-8.0-source-built-artifacts",
"binary_version": "8.0.124-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-sdk-dbg-8.0",
"binary_version": "8.0.124-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-targeting-pack-8.0",
"binary_version": "8.0.24-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-templates-8.0",
"binary_version": "8.0.124-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet8",
"binary_version": "8.0.124-8.0.24-0ubuntu1~25.10.1"
},
{
"binary_name": "netstandard-targeting-pack-2.1-8.0",
"binary_version": "8.0.124-0ubuntu1~25.10.1"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-21218",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:25.10"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8025-1.json"
Ubuntu:25.10 / dotnet9
Package
- Name
- dotnet9
- Purl
- pkg:deb/ubuntu/dotnet9@9.0.114-9.0.13-0ubuntu1~25.10.1?arch=source&distro=questing
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed9.0.114-9.0.13-0ubuntu1~25.10.1
Affected versions
9.*
9.0.105-9.0.4-0ubuntu1
9.0.106-9.0.5-0ubuntu1
9.0.107-9.0.6-0ubuntu1
9.0.108-9.0.7-0ubuntu1
9.0.109-9.0.8-0ubuntu1
9.0.110-9.0.9-0ubuntu1
9.0.111-9.0.10-0ubuntu1~25.10.1
9.0.112-9.0.11-0ubuntu1~25.10.1
9.0.113-9.0.12-0ubuntu1~25.10.1
Ecosystem specific
{
"availability": "No subscription required",
"binaries": [
{
"binary_name": "aspnetcore-runtime-9.0",
"binary_version": "9.0.13-0ubuntu1~25.10.1"
},
{
"binary_name": "aspnetcore-runtime-dbg-9.0",
"binary_version": "9.0.13-0ubuntu1~25.10.1"
},
{
"binary_name": "aspnetcore-targeting-pack-9.0",
"binary_version": "9.0.13-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-apphost-pack-9.0",
"binary_version": "9.0.13-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-host-9.0",
"binary_version": "9.0.13-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-hostfxr-9.0",
"binary_version": "9.0.13-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-runtime-9.0",
"binary_version": "9.0.13-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-runtime-dbg-9.0",
"binary_version": "9.0.13-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-sdk-9.0",
"binary_version": "9.0.114-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-sdk-9.0-source-built-artifacts",
"binary_version": "9.0.114-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-sdk-aot-9.0",
"binary_version": "9.0.114-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-sdk-dbg-9.0",
"binary_version": "9.0.114-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-targeting-pack-9.0",
"binary_version": "9.0.13-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet-templates-9.0",
"binary_version": "9.0.114-0ubuntu1~25.10.1"
},
{
"binary_name": "dotnet9",
"binary_version": "9.0.114-9.0.13-0ubuntu1~25.10.1"
},
{
"binary_name": "netstandard-targeting-pack-2.1-9.0",
"binary_version": "9.0.114-0ubuntu1~25.10.1"
}
]
}
Database specific
cves_map
{
"cves": [
{
"id": "CVE-2026-21218",
"severity": [
{
"type": "CVSS_V3",
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
},
{
"type": "Ubuntu",
"score": "medium"
}
]
}
],
"ecosystem": "Ubuntu:25.10"
}
source
"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8025-1.json"