USN-8025-2

Kevin Jones discovered that the System.Security.Cryptography.Cose component in .NET did not properly handle certain missing special elements in input data. An attacker could possibly use this issue to bypass security checks and gain unauthorized access or perform data manipulation.

References

Affected packages

Ubuntu:24.04:LTS / dotnet10

Package

Name: dotnet10
Purl: pkg:deb/ubuntu/dotnet10@10.0.103-10.0.3-0ubuntu1~24.04.1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.0.103-10.0.3-0ubuntu1~24.04.1

Affected versions

10.*

10.0.100-10.0.0-0ubuntu1~24.04.1

10.0.101-10.0.1-0ubuntu1~24.04.2

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "10.0.3-0ubuntu1~24.04.1",
            "binary_name": "aspnetcore-runtime-10.0"
        },
        {
            "binary_version": "10.0.3-0ubuntu1~24.04.1",
            "binary_name": "aspnetcore-runtime-dbg-10.0"
        },
        {
            "binary_version": "10.0.3-0ubuntu1~24.04.1",
            "binary_name": "aspnetcore-targeting-pack-10.0"
        },
        {
            "binary_version": "10.0.3-0ubuntu1~24.04.1",
            "binary_name": "dotnet-apphost-pack-10.0"
        },
        {
            "binary_version": "10.0.3-0ubuntu1~24.04.1",
            "binary_name": "dotnet-host-10.0"
        },
        {
            "binary_version": "10.0.3-0ubuntu1~24.04.1",
            "binary_name": "dotnet-hostfxr-10.0"
        },
        {
            "binary_version": "10.0.3-0ubuntu1~24.04.1",
            "binary_name": "dotnet-runtime-10.0"
        },
        {
            "binary_version": "10.0.3-0ubuntu1~24.04.1",
            "binary_name": "dotnet-runtime-dbg-10.0"
        },
        {
            "binary_version": "10.0.103-0ubuntu1~24.04.1",
            "binary_name": "dotnet-sdk-10.0"
        },
        {
            "binary_version": "10.0.103-0ubuntu1~24.04.1",
            "binary_name": "dotnet-sdk-10.0-source-built-artifacts"
        },
        {
            "binary_version": "10.0.103-0ubuntu1~24.04.1",
            "binary_name": "dotnet-sdk-aot-10.0"
        },
        {
            "binary_version": "10.0.103-0ubuntu1~24.04.1",
            "binary_name": "dotnet-sdk-dbg-10.0"
        },
        {
            "binary_version": "10.0.3-0ubuntu1~24.04.1",
            "binary_name": "dotnet-targeting-pack-10.0"
        },
        {
            "binary_version": "10.0.103-0ubuntu1~24.04.1",
            "binary_name": "dotnet-templates-10.0"
        },
        {
            "binary_version": "10.0.103-10.0.3-0ubuntu1~24.04.1",
            "binary_name": "dotnet10"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8025-2.json"

cves_map

{
    "ecosystem": "Ubuntu:24.04:LTS",
    "cves": [
        {
            "id": "CVE-2026-21218",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}

Ubuntu:24.04:LTS / dotnet8

Package

Name: dotnet8
Purl: pkg:deb/ubuntu/dotnet8@8.0.124-8.0.24-0ubuntu1~24.04.1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

8.0.124-8.0.24-0ubuntu1~24.04.1

Affected versions

8.*

8.0.100-8.0.0~rc1-0ubuntu1

8.0.100-8.0.0~rc2-0ubuntu1

8.0.100-8.0.0~rc2-0ubuntu2

8.0.100-8.0.0-0ubuntu1

8.0.100-8.0.0-0ubuntu2

8.0.101-8.0.1-0ubuntu1

8.0.101-8.0.1-0ubuntu2

8.0.102-8.0.2-0ubuntu1

8.0.103-8.0.3-0ubuntu2

8.0.103-8.0.3-0ubuntu3

8.0.104-8.0.4-0ubuntu1

8.0.105-8.0.5-0ubuntu1~24.04.1

8.0.107-8.0.7-0ubuntu1~24.04.1

8.0.108-8.0.8-0ubuntu1~24.04.1

8.0.108-8.0.8-0ubuntu1~24.04.2

8.0.110-8.0.10-0ubuntu1~24.04.1

8.0.111-8.0.11-0ubuntu1~24.04.1

8.0.112-8.0.12-0ubuntu1~24.04.1

8.0.114-8.0.14-0ubuntu1~24.04.1

8.0.115-8.0.15-0ubuntu1~24.04.1

8.0.116-8.0.16-0ubuntu1~24.04.1

8.0.117-8.0.17-0ubuntu1~24.04.1

8.0.118-8.0.18-0ubuntu1~24.04.1

8.0.119-8.0.19-0ubuntu1~24.04.1

8.0.120-8.0.20-0ubuntu1~24.04.1

8.0.121-8.0.21-0ubuntu1~24.04.1

8.0.122-8.0.22-0ubuntu1~24.04.1

8.0.123-8.0.23-0ubuntu1~24.04.1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "8.0.24-0ubuntu1~24.04.1",
            "binary_name": "aspnetcore-runtime-8.0"
        },
        {
            "binary_version": "8.0.24-0ubuntu1~24.04.1",
            "binary_name": "aspnetcore-runtime-dbg-8.0"
        },
        {
            "binary_version": "8.0.24-0ubuntu1~24.04.1",
            "binary_name": "aspnetcore-targeting-pack-8.0"
        },
        {
            "binary_version": "8.0.24-0ubuntu1~24.04.1",
            "binary_name": "dotnet-apphost-pack-8.0"
        },
        {
            "binary_version": "8.0.24-0ubuntu1~24.04.1",
            "binary_name": "dotnet-host-8.0"
        },
        {
            "binary_version": "8.0.24-0ubuntu1~24.04.1",
            "binary_name": "dotnet-hostfxr-8.0"
        },
        {
            "binary_version": "8.0.24-0ubuntu1~24.04.1",
            "binary_name": "dotnet-runtime-8.0"
        },
        {
            "binary_version": "8.0.24-0ubuntu1~24.04.1",
            "binary_name": "dotnet-runtime-dbg-8.0"
        },
        {
            "binary_version": "8.0.124-0ubuntu1~24.04.1",
            "binary_name": "dotnet-sdk-8.0"
        },
        {
            "binary_version": "8.0.124-0ubuntu1~24.04.1",
            "binary_name": "dotnet-sdk-8.0-source-built-artifacts"
        },
        {
            "binary_version": "8.0.124-0ubuntu1~24.04.1",
            "binary_name": "dotnet-sdk-dbg-8.0"
        },
        {
            "binary_version": "8.0.24-0ubuntu1~24.04.1",
            "binary_name": "dotnet-targeting-pack-8.0"
        },
        {
            "binary_version": "8.0.124-0ubuntu1~24.04.1",
            "binary_name": "dotnet-templates-8.0"
        },
        {
            "binary_version": "8.0.124-8.0.24-0ubuntu1~24.04.1",
            "binary_name": "dotnet8"
        },
        {
            "binary_version": "8.0.124-0ubuntu1~24.04.1",
            "binary_name": "netstandard-targeting-pack-2.1-8.0"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-8025-2.json"

cves_map

{
    "ecosystem": "Ubuntu:24.04:LTS",
    "cves": [
        {
            "id": "CVE-2026-21218",
            "severity": [
                {
                    "type": "CVSS_V3",
                    "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
                },
                {
                    "type": "Ubuntu",
                    "score": "medium"
                }
            ]
        }
    ]
}