Red Hat Product Errata RHSA-2026:13280 - Security Advisory Issued: 2026-05-04 Updated: 2026-05-04 RHSA-2026:13280 - Security Advisory Overview Updated Packages Synopsis Important: .NET 9.0 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for .NET 9.0 is now available for Red Hat Enterprise Linux 10.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 9.0.116 and .NET Runtime 9.0.15.Security Fix(es): dotnet: .NET: Security Bypass and Denial of Service Vulnerability (CVE-2026-26171) dotnet: .NET: Denial of Service via stack overflow (CVE-2026-32203) dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform (CVE-2026-33116) dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw (CVE-2026-32178) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 x86_64 Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 s390x Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat Enterprise Linux for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 10.0 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 10.0 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 10.0 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 10.0 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 10.0 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 10.0 s390x Red Hat Enterprise Linux for Power, little endian - 4 years of support 10.0 ppc64le Red Hat Enterprise Linux for x86_64 - 4 years of updates 10.0 x86_64 Fixes BZ - 2457739 - CVE-2026-26171 dotnet: .NET: Security Bypass and Denial of Service Vulnerability BZ - 2457740 - CVE-2026-32203 dotnet: .NET: Denial of Service via stack overflow BZ - 2457741 - CVE-2026-33116 dotnet: .NET: Denial of Service via Infinite Recursion in XmlDecryptionTransform BZ - 2457781 - CVE-2026-32178 dotnet: Dotnet: SMTP Command Injection and Header Injection via MailAddress parsing flaw CVEs CVE-2026-26171 CVE-2026-32178 CVE-2026-32203 CVE-2026-33116 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 - Extended Update Support 10.0 SRPM dotnet9.0-9.0.116-1.el10_0.src.rpm SHA-256: 2e7ef7926d23584d070437b9ff583d944067d3f31f0ca6bafa9e6abcfc327c87 x86_64 aspnetcore-runtime-9.0-9.0.15-1.el10_0.x86_64.rpm SHA-256: f0744dc3d73001379702805d6d1b1882c5cf0ac732e73d832cba9dfce388928c aspnetcore-runtime-dbg-9.0-9.0.15-1.el10_0.x86_64.rpm SHA-256: 4016fb3a0ae9c057a23ea534dacf762093268482699e155a6483f122ac931590 aspnetcore-targeting-pack-9.0-9.0.15-1.el10_0.x86_64.rpm SHA-256: b89f0628d99b86c4fdb91d6e3d30354c6344c673abb28db574ab2f4b3fcf3450 dotnet-apphost-pack-9.0-9.0.15-1.el10_0.x86_64.rpm SHA-256: 05ed8d9e5cda0070b864b8ccd1ff4b25097fb5c267076e1c26fd3a389ed8c5dd dotnet-apphost-pack-9.0-debuginfo-9.0.15-1.el10_0.x86_64.rpm SHA-256: 6a146a1a3190cc35e705b6f3d50e9a7d747c25cda3b2c09ae2782991d9c43a72 dotnet-host-9.0.15-1.el10_0.x86_64.rpm SHA-256: 57371fbe86f0a7e2897dcf46ead5b05f93591b91c173ed23efa1a22bab490b69 dotnet-host-debuginfo-9.0.15-1.el10_0.x86_64.rpm SHA-256: 2d88d8d04a4770f30f9fb4c671a6a937bf32606e0ba02253f18171541a302014 dotnet-hostfxr-9.0-9.0.15-1.el10_0.x86_64.rpm SHA-256: f0572c1380ec1eb50000fed6e8e4336f99a8b3bf077462fc9aac27f56af4027d dotnet-hostfxr-9.0-debuginfo-9.0.15-1.el10_0.x86_64.rpm SHA-256: 36598b5fdad5ad3d2b310c280072cc109ddb92aa495fa7fe5f60ab939517e1c4 dotnet-runtime-9.0-9.0.15-1.el10_0.x86_64.rpm SHA-256: 7e64009a4c368c7c787911995d60c9992c8cc5d8b3b961a72d92f44fd942c208 dotnet-runtime-9.0-debuginfo-9.0.15-1.el10_0.x86_64.rpm SHA-256: 694c6e643cde0fac1e836fd9c29577dcdb34973b162332adf364051d4a821221 dotnet-runtime-dbg-9.0-9.0.15-1.el10_0.x86_64.rpm SHA-256: 95ac997f4b4d6a1ef076c6ba04ff1ad6c8e614e74592d23a2ad8a1e922c5134e dotnet-sdk-9.0-9.0.116-1.el10_0.x86_64.rpm SHA-256: 554aabf237025e4895c79ce255afad950ca3e1bce7cd0252266ffffe61e0bbeb dotnet-sdk-9.0-debuginfo-9.0.116-1.el10_0.x86_64.rpm SHA-256: b2963f5dde4f45fe991694f2e8d7aabbd40f36de6eec235575ed4d4012696cc4 dotnet-sdk-aot-9.0-9.0.116-1.el10_0.x86_64.rpm SHA-256: 50985656a42224bc246dfc9e6eec16b978da2cd58537f1eccceaadd6a46e101a dotnet-sdk-aot-9.0-debuginfo-9.0.116-1.el10_0.x86_64.rpm SHA-256: 4a9d565be76d6b5d58615c79e42962b8b30d175e3eae906d7d595f2d415a6ce0 dotnet-sdk-dbg-9.0-9.0.116-1.el10_0.x86_64.rpm SHA-256: 8d78de764c817539834ddc9a6a509a3555099794599f6aab71dd637f91b56150 dotnet-targeting-pack-9.0-9.0.15-1.el10_0.x86_64.rpm SHA-256: 67b644feaca09debb0a8ffe86347515c01b3314b4e758b3f5568a9fab70e7967 dotnet-templates-9.0-9.0.116-1.el10_0.x86_64.rpm SHA-256: 1e62ae6299781c6050ee5a7861095200a0e0cde455db43fe1372cd295fd9603c dotnet9.0-debugsource-9.0.116-1.el10_0.x86_64.rpm SHA-256: 8c992b54dfb56bdcdeae7cbe0aef853f92630bb072aaa229346428e5b3b37cab netstandard-targeting-pack-2.1-9.0.116-1.el10_0.x86_64.rpm SHA-256: d0e9104d0e55c5411b14202bdf3ca1fada03cf74e0b91311d7779fcd1856b97e Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 10.0 SRPM dotnet9.0-9.0.116-1.el10_0.src.rpm SHA-256: 2e7ef7926d23584d070437b9ff583d944067d3f31f0ca6bafa9e6abcfc327c87 s390x aspnetcore-runtime-9.0-9.0.15-1.el10_0.s390x.rpm SHA-256: 3e0d914f4ff1a7df7491d35b6412c338a29f98adfe0a18ef87fd3c816b464118 aspnetcore-runtime-dbg-9.0-9.0.15-1.el10_0.s390x.rpm SHA-256: 26578459e08bf82ce4664042f8b472bbe4305abc5ac1d8d881abbbc830582ee2 aspnetcore-targeting-pack-9.0-9.0.15-1.el10_0.s390x.rpm SHA-256: ec10e088cb392457b425cdcd800bb45d5a00d2fba33cd06e091729f06f1ed771 dotnet-apphost-pack-9.0-9.0.15-1.el10_0.s390x.rpm SHA-256: c74cd688edfd1faabe8357d990f71fb0e9d9d9faaad597c746b873b59789bcd0 dotnet-apphost-pack-9.0-debuginfo-9.0.15-1.el10_0.s390x.rpm SHA-256: 60ab7a17bf81616eb793697297d98a8bba20a3354fdc446a8cdef7757dd761cd dotnet-host-9.0.15-1.el10_0.s390x.rpm SHA-256: 19949ce3f55c41278eea08a4a1e417ce45b46f656f52c9f9d3d18e893aa28a2e dotnet-host-debuginfo-9.0.15-1.el10_0.s390x.rpm SHA-256: 3e58ec4c4fb5c2fac5ed25cdbf261f9b2b4bef259181d9f2de0d434225a16a68 dotnet-hostfxr-9.0-9.0.15-1.el10_0.s390x.rpm SHA-256: 1b251253f931d48b44aa48e156c0d3afe7fdee5d4713082c01201851c07a6a58 dotnet-hostfxr-9.0-debuginfo-9.0.15-1.el10_0.s390x.rpm SHA-256: 322312348b088b5779e671fe3287221d9e639eff38182bd50bee248eeccabbec dotnet-runtime-9.0-9.0.15-1.el10_0.s390x.rpm SHA-256: 9fdddfc31c9642e366ed1e55a2632499d086cf079e2788046c6dbe7b42b98c94 dotnet-runtime-9.0-debuginfo-9.0.15-1.el10_0.s390x.rpm SHA-256: 29d09b27738f31c7adcdfa3c8b58b0be3548730fe641cd72c5cf8277f84dd6c5 dotnet-runtime-dbg-9.0-9.0.15-1.el10_0.s390x.rpm SHA-256: bc90e2e3e3ad67324be22ada71e6eaea962caf70c10539f287d6c830a0b5b2dd dotnet-sdk-9.0-9.0.116-1.el10_0.s390x.rpm SHA-256: a6f31e774e936d41f635b4c7068eb3fa67d08bde021aa6fa60c4e260d87a3d91 dotnet-sdk-9.0-debuginfo-9.0.116-1.el10_0.s390x.rpm SHA-256: 0dd335b8bbb64962ff6e24d6a3ea48ad565b46675d8fbbdb924dbcfb3e873b7c dotnet-sdk-dbg-9.0-9.0.116-1.el10_0.s390x.rpm SHA-256: c86e284e008770acd28919eb9709f98876249421a61ffbcea2a3095b29148c73 dotnet-targeting-pack-9.0-9.0.15-1.el10_0.s390x.rpm SHA-256: a529ced4dfc7896b88156b9ca3c1def5aab695655030622e88eff39ac35d2aff dotnet-templates-9.0-9.0.116-1.el10_0.s390x.rpm SHA-256: 2adea6e7d6b3e58cd9a4026a5f2fb2357d920b1cee1d884a46e94d85a81aef3e dotnet9.0-debugsource-9.0.116-1.el10_0.s390x.rpm SHA-256: de24c1c4aa95b2801a32e7a80f9196be6725050eb9a0537841f537f217860862 netstandard-targeting-pack-2.1-9.0.116-1.el10_0.s390x.rpm SHA-256: 0707e5c8148f25aa883304eb761ac9bee69c64acaa4735ea4d84612a343e9403 Red Hat Enterprise Linux for Power, little endian - Extended Update Support 10.0 SRPM dotnet9.0-9.0.116-1.el10_0.src.rpm SHA-256: 2e7ef7926d23584d070437b9ff583d944067d3f31f0ca6bafa9e6abcfc327c87 ppc64le aspnetcore-runtime-9.0-9.0.15-1.el10_0.ppc64le.rpm SHA-256: d08e9ca04c4c49454314e8024a9f79139f0afabc0aa6df83b34bbb27cb9ee2b4 aspnetcore-runtime-dbg-9.0-9.0.15-1.el10_0.ppc64le.rpm SHA-256: f190d49486b8bb058835f0ce91060b8e337ab0cfc2aa86a12e70e6cd6b4824d9 aspnetcore-targeting-pack-9.0-9.0.15-1.el10_0.ppc64le.rpm SHA-256: ac094b0090e302282f6e8a3ae4960b38ad241c6e590a3716253553cdae982cfb dotnet-apphost-pack-9.0-9.0.15-1.el10_0.ppc64le.rpm SHA-256: bc20fb63c4c89e72ed39686d7eafcbe8f46b01b9394a60911c0066f79d6f1455 dotnet-apphost-pack-9.0-debuginfo-9.0.15-1.el10_0.ppc64le.rpm SHA-256: 82338fdf716ad8ca36cb68eea93f2d040bd7fe370294e13576e89810557e356c dotnet-host-9.0.15-1.el10_0.ppc64le.rpm SHA-256: 731a46e485b4046f7060d1b7f373a84d5d4562f659c0f9246c7b292cdffb2158 dotnet-host-debuginfo-9.0.15-1.el10_0.ppc64le.rpm SHA-256: c64098b10930e558eeb4c8ef3dad403e6d54d6674944092cbb9201d97911794e dotnet-hostfxr-9.0-9.0.15-1.el10_0.ppc64le.rpm SHA-256: 004182fe81b07f27df8b6e4a710fd2d14976cb435778cc96c7ca6fe2a42ee3bf dotnet-hostfxr-9.0-debugin