A vulnerability (CVE-2026-42899) in .NET allows an attacker to cause a denial of service via an infinite loop. The CVSS 3.1 base score is 7.5 (High). Affected versions include .NET 9.0.0 through 9.0.15, and the fix requires upgrading to .NET Runtime 9.0.16 and .NET SDK 9.0.117.
Red Hat Product Errata RHSA-2026:21296 - Security Advisory Issued: 2026-05-27 Updated: 2026-05-27 RHSA-2026:21296 - Security Advisory Overview Updated Packages Synopsis Important: .NET 9.0 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for .NET 9.0 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 9.0.117 and .NET Runtime 9.0.16.Security Fix(es): dotnet: .NET: infinite loop allows an attacker to cause a denial of service (CVE-2026-42899) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 x86_64 Red Hat CodeReady Linux Builder for x86_64 9 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.8 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.8 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8 s390x Fixes BZ - 2476605 - CVE-2026-42899 dotnet: .NET: infinite loop allows an attacker to cause a denial of service CVEs CVE-2026-42899 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM dotnet9.0-9.0.117-1.el9_8.src.rpm SHA-256: fcb669c48b1c713e240ddce7f0752ae6caeb18da048f1d8852bb72e678e2b388 x86_64 aspnetcore-runtime-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 532dea262e0a1b5c0e6514b3041e9c7f5ae79c5e2d5ef1f120dbc7c806921dc7 aspnetcore-runtime-dbg-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 1bc8a9c140d77c78e21fefdfeb911f176359e8655c03e8a8a50f40f3694ccb56 aspnetcore-targeting-pack-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 3d17b559d596f6fe7554f8ceadc277eda6a520cefa9e5c156ce88cea35756bb2 dotnet-apphost-pack-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 0fb3d418f4e257d7bbcb4b89d8f4892628a75b5bf5007666be2c180e1a2ffd30 dotnet-apphost-pack-9.0-debuginfo-9.0.16-1.el9_8.x86_64.rpm SHA-256: 07033dfe2fddf93939481448b52c5e1c3abf3bd6d888d68d693362076c69a4c1 dotnet-hostfxr-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 6e53a719adf53fc6719bd1a67eb273790e295b6379aa31c96ebe93c3de3ce134 dotnet-hostfxr-9.0-debuginfo-9.0.16-1.el9_8.x86_64.rpm SHA-256: bb56fff984263bc84f4e1ea4c19b31dca5d8e2d6728cfff4dbb936f913d15d68 dotnet-runtime-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 3101d08781e4da51f17b71485a3058e12da1a44c5b52d0b3608e0fc7953802d0 dotnet-runtime-9.0-debuginfo-9.0.16-1.el9_8.x86_64.rpm SHA-256: 2c9912e6a2b0fc8479b065e168a0578d3238872cdfaae45918df15bbfaf7bbcf dotnet-runtime-dbg-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: b69bd33556f4a9861ff713e5911ea9251a6bacf00b6d3a3ea234d71cf8548363 dotnet-sdk-9.0-9.0.117-1.el9_8.x86_64.rpm SHA-256: c6bbb4d565a07619fbb78583d08dab965cb43677f300aa2bb0f0d1950df71fe8 dotnet-sdk-9.0-debuginfo-9.0.117-1.el9_8.x86_64.rpm SHA-256: 7377304d6142984ad50efc0715a2f2f0c6f7e30e6441921e7686a3fdba25aaa4 dotnet-sdk-aot-9.0-9.0.117-1.el9_8.x86_64.rpm SHA-256: 19dd4355cc433201b9e2479218f67acb92fd47c4d850f1a1ca75a7c4488797d9 dotnet-sdk-aot-9.0-debuginfo-9.0.117-1.el9_8.x86_64.rpm SHA-256: f66c86944c0b959d705e3acb1c8bf29d1a3f11abb85a0e6ad0f11d01cf176b9d dotnet-sdk-dbg-9.0-9.0.117-1.el9_8.x86_64.rpm SHA-256: e3d474d8f54bc0e2f64bb7a3f2a5ff6c2252a627e13efe2db5b14345415c8f26 dotnet-targeting-pack-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 3758e7f97efcfb1fe0d16d4b23a7c565c52f299032af6df1c4d9db521af2bc2f dotnet-templates-9.0-9.0.117-1.el9_8.x86_64.rpm SHA-256: 22edd740cd54aaa753c6a2ce8e984be2d6bf540a0a2243e73250ed515b3ec799 dotnet9.0-debuginfo-9.0.117-1.el9_8.x86_64.rpm SHA-256: c49bae3d1da5977662c1ea35ade1c1ac087837b603cee54d6cedf34e6176bbe6 dotnet9.0-debugsource-9.0.117-1.el9_8.x86_64.rpm SHA-256: 8ad4eb79ce2dfbac4592e077f33f75a7f87f25ab40fabad884f071c72a120b1d netstandard-targeting-pack-2.1-9.0.117-1.el9_8.x86_64.rpm SHA-256: 016067faa49bdd96670c327c40e7d65ca01f2f67827df58072718faf793b5ea4 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 SRPM dotnet9.0-9.0.117-1.el9_8.src.rpm SHA-256: fcb669c48b1c713e240ddce7f0752ae6caeb18da048f1d8852bb72e678e2b388 x86_64 aspnetcore-runtime-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 532dea262e0a1b5c0e6514b3041e9c7f5ae79c5e2d5ef1f120dbc7c806921dc7 aspnetcore-runtime-dbg-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 1bc8a9c140d77c78e21fefdfeb911f176359e8655c03e8a8a50f40f3694ccb56 aspnetcore-targeting-pack-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 3d17b559d596f6fe7554f8ceadc277eda6a520cefa9e5c156ce88cea35756bb2 dotnet-apphost-pack-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 0fb3d418f4e257d7bbcb4b89d8f4892628a75b5bf5007666be2c180e1a2ffd30 dotnet-apphost-pack-9.0-debuginfo-9.0.16-1.el9_8.x86_64.rpm SHA-256: 07033dfe2fddf93939481448b52c5e1c3abf3bd6d888d68d693362076c69a4c1 dotnet-hostfxr-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 6e53a719adf53fc6719bd1a67eb273790e295b6379aa31c96ebe93c3de3ce134 dotnet-hostfxr-9.0-debuginfo-9.0.16-1.el9_8.x86_64.rpm SHA-256: bb56fff984263bc84f4e1ea4c19b31dca5d8e2d6728cfff4dbb936f913d15d68 dotnet-runtime-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 3101d08781e4da51f17b71485a3058e12da1a44c5b52d0b3608e0fc7953802d0 dotnet-runtime-9.0-debuginfo-9.0.16-1.el9_8.x86_64.rpm SHA-256: 2c9912e6a2b0fc8479b065e168a0578d3238872cdfaae45918df15bbfaf7bbcf dotnet-runtime-dbg-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: b69bd33556f4a9861ff713e5911ea9251a6bacf00b6d3a3ea234d71cf8548363 dotnet-sdk-9.0-9.0.117-1.el9_8.x86_64.rpm SHA-256: c6bbb4d565a07619fbb78583d08dab965cb43677f300aa2bb0f0d1950df71fe8 dotnet-sdk-9.0-debuginfo-9.0.117-1.el9_8.x86_64.rpm SHA-256: 7377304d6142984ad50efc0715a2f2f0c6f7e30e6441921e7686a3fdba25aaa4 dotnet-sdk-aot-9.0-9.0.117-1.el9_8.x86_64.rpm SHA-256: 19dd4355cc433201b9e2479218f67acb92fd47c4d850f1a1ca75a7c4488797d9 dotnet-sdk-aot-9.0-debuginfo-9.0.117-1.el9_8.x86_64.rpm SHA-256: f66c86944c0b959d705e3acb1c8bf29d1a3f11abb85a0e6ad0f11d01cf176b9d dotnet-sdk-dbg-9.0-9.0.117-1.el9_8.x86_64.rpm SHA-256: e3d474d8f54bc0e2f64bb7a3f2a5ff6c2252a627e13efe2db5b14345415c8f26 dotnet-targeting-pack-9.0-9.0.16-1.el9_8.x86_64.rpm SHA-256: 3758e7f97efcfb1fe0d16d4b23a7c565c52f299032af6df1c4d9db521af2bc2f dotnet-templates-9.0-9.0.117-1.el9_8.x86_64.rpm SHA-256: 22edd740cd54aaa753c6a2ce8e984be2d6bf540a0a2243e73250ed515b3ec799 dotnet9.0-debuginfo-9.0.117-1.el9_8.x86_64.rpm SHA-256: c49bae3d1da5977662c1ea35ade1c1ac087837b603cee54d6cedf34e6176bbe6 dotnet9.0-debugsource-9.0.117-1.el9_8.x86_64.rpm SHA-256: 8ad4eb79ce2dfbac4592e077f33f75a7f87f25ab40fabad884f071c72a120b1d netstandard-targeting-pack-2.1-9.0.117-1.el9_8.x86_64.rpm SHA-256: 016067faa49bdd96670c327c40e7d65ca01f2f67827df58072718faf793b5ea4 Red Hat Enterprise Linux for IBM z Systems 9 SRPM dotnet9.0-9.0.117-1.el9_8.src.rpm SHA-256: fcb669c48b1c713e240ddce7f0752ae6caeb18da048f1d8852bb72e678e2b388 s390x aspnetcore-runtime-9.0-9.0.16-1.el9_8.s390x.rpm SHA-256: fb60cf5b752d497464bb1ea6007dea90c110c6db7f0f269e481885223a509f43 aspnetcore-runtime-dbg-9.0-9.0.16-1.el9_8.s390x.rpm SHA-256: 3187af0aad1415b9e39b4edc2b8ba8b6a63636de5b813eba76530fc7860bdde2 aspnetcore-targeting-pack-9.0-9.0.16-1.el9_8.s390x.rpm SHA-256: 5876f9deecad8079ce71b25ae38e4ec1c768e93e224e42d07e89b07963bc4bcd dotnet-apphost-pack-9.0-9.0.16-1.el9_8.s390x.rpm SHA-256: d974d1a6c95cc3920f34ded4c8dd1db52cee7518f3f489f86feae687ec57f820 dotnet-apphost-pack-9.0-debuginfo-9.0.16-1.el9_8.s390x.rpm SHA-256: 881da2f1e9cdba95ed9ae46e964900eeb3daa782f7031923fd4ab29740b69217 dotnet-hostfxr-9.0-9.0.16-1.el9_8.s390x.rpm SHA-256: 4d777dad719026adcbab3d8efcc66963a2bf37c6fb47c94d087f69d180ab6163 dotnet-hostfxr-9.0-debuginfo-9.0.16-1.el9_8.s390x.rpm SHA-256: 5af7079b3e50698eff0b84eb8264dcf3666f20a542b27f84e00f4eb0f36786a0 dotnet-runtime-9.0-9.0.16-1.el9_8.s390x.rpm SHA-256: 2d95775841547b4dcbdc0287d6d6f97b8947ece85188162ea7db9badb30c1656 do