An infinite loop vulnerability (CVE-2026-42899, CVSS 7.5 HIGH) in .NET allows an attacker to cause a denial of service. Affected versions include .NET 8.0.0 through 8.0.26, 9.0.0 through 9.0.15, and 10.0.0 through 10.0.7. The flaw is fixed in versions 8.0.27, 9.0.16, and 10.0.8.
Red Hat Product Errata RHSA-2026:21297 - Security Advisory Issued: 2026-05-27 Updated: 2026-05-27 RHSA-2026:21297 - Security Advisory Overview Updated Packages Synopsis Important: .NET 10.0 security update Type/Severity Security Advisory: Important Red Hat Lightspeed patch analysis Identify and remediate systems affected by this advisory. View affected systems Topic An update for .NET 10.0 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Description .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation. New versions of .NET that address a security vulnerability are now available. The updated versions are .NET SDK 10.0.108 and .NET Runtime 10.0.8.Security Fix(es): dotnet: .NET: infinite loop allows an attacker to cause a denial of service (CVE-2026-42899) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. Solution For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 Affected Products Red Hat Enterprise Linux for x86_64 9 x86_64 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 x86_64 Red Hat Enterprise Linux for IBM z Systems 9 s390x Red Hat Enterprise Linux for IBM z Systems - Extended Update Support 9.8 s390x Red Hat Enterprise Linux for Power, little endian 9 ppc64le Red Hat Enterprise Linux for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat Enterprise Linux for ARM 64 9 aarch64 Red Hat Enterprise Linux for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux Server for Power LE - Update Services for SAP Solutions 9.8 ppc64le Red Hat Enterprise Linux for x86_64 - Update Services for SAP Solutions 9.8 x86_64 Red Hat CodeReady Linux Builder for x86_64 9 x86_64 Red Hat CodeReady Linux Builder for Power, little endian 9 ppc64le Red Hat CodeReady Linux Builder for ARM 64 9 aarch64 Red Hat CodeReady Linux Builder for IBM z Systems 9 s390x Red Hat CodeReady Linux Builder for x86_64 - Extended Update Support 9.8 x86_64 Red Hat CodeReady Linux Builder for Power, little endian - Extended Update Support 9.8 ppc64le Red Hat CodeReady Linux Builder for IBM z Systems - Extended Update Support 9.8 s390x Red Hat CodeReady Linux Builder for ARM 64 - Extended Update Support 9.8 aarch64 Red Hat Enterprise Linux for ARM 64 - 4 years of updates 9.8 aarch64 Red Hat Enterprise Linux for IBM z Systems - 4 years of updates 9.8 s390x Red Hat Enterprise Linux for x86_64 - Extended Life Cycle 9.8 x86_64 Red Hat Enterprise Linux for ARM 64 - Extended Life Cycle 9.8 aarch64 Red Hat Enterprise Linux for Power, little endian - Extended Life Cycle 9.8 ppc64le Red Hat Enterprise Linux for IBM z Systems - Extended Life Cycle 9.8 s390x Fixes BZ - 2476605 - CVE-2026-42899 dotnet: .NET: infinite loop allows an attacker to cause a denial of service CVEs CVE-2026-42899 References https://access.redhat.com/security/updates/classification/#important Note: More recent versions of these packages may be available. Click a package name for more details. Red Hat Enterprise Linux for x86_64 9 SRPM dotnet10.0-10.0.108-1.el9_8.src.rpm SHA-256: 966ed2a5ca9e35209314dc5dc479c42cebb8a01639e299d12da1507acec4a4aa x86_64 aspnetcore-runtime-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 99a2a801f00a54cbe9df7536d2cd1044e1bb3ec870f53e81e981f80938dc9fe5 aspnetcore-runtime-dbg-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 7eee3e652d417b5486b71fefe06cfde8d59151c5bde48545dc162ae6f195879e aspnetcore-targeting-pack-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 0db4d29a495f28fbb6f0a0a3f856748cf5de55068c7f458612d2e15d62dde5a7 dotnet-apphost-pack-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: f3399c5149583161950b4e3b8c87359f62a7346891d3e2ace386c175ed5ccbea dotnet-apphost-pack-10.0-debuginfo-10.0.8-1.el9_8.x86_64.rpm SHA-256: b5ff634547f4905e946f400c1cab9eca14d8a86360fab7775e909b7feaac656e dotnet-host-10.0.8-1.el9_8.x86_64.rpm SHA-256: 41526d5c64e5561bcae847b942bc274a05baed0559443784e8cd163f2b0b3406 dotnet-host-debuginfo-10.0.8-1.el9_8.x86_64.rpm SHA-256: 734345a42aa0dd491ab300bbd89a8c3256d67cf9d25577fb919726b9598af3e0 dotnet-hostfxr-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 5611069354005cf2bff3b226165c5a4a45004a650ac3bf43b70ca01e7c22aafa dotnet-hostfxr-10.0-debuginfo-10.0.8-1.el9_8.x86_64.rpm SHA-256: 834a17936c9b0079c9ae8d6308c262fdeef1b9ad36a95c6359ee9592cb3148bd dotnet-runtime-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 48c758f6a72230239339604262c487ce469b80e81822f69944653bacabf5d495 dotnet-runtime-10.0-debuginfo-10.0.8-1.el9_8.x86_64.rpm SHA-256: f5ef74a5d90a0469eca5fa8ec7e8d98147eac5d6066cb3ce14384f7c6e71759f dotnet-runtime-dbg-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 70c8ec270657296e0451fe9fe6c98a264bd7d1c0c14151773419dc9dd872fcff dotnet-sdk-10.0-10.0.108-1.el9_8.x86_64.rpm SHA-256: 0db5b413b7322cebef53b6d1617e143d709cb5c6a46c1722f9e98c55e0f8a187 dotnet-sdk-10.0-debuginfo-10.0.108-1.el9_8.x86_64.rpm SHA-256: 20cc2ab8ef69151e99afec0239c3b27c995bd612e51e4ea807d33b4ef24d4b15 dotnet-sdk-aot-10.0-10.0.108-1.el9_8.x86_64.rpm SHA-256: c4c6e244cc85d0d9049af1d925a166139a1c482a328ec540299987757011bddb dotnet-sdk-aot-10.0-debuginfo-10.0.108-1.el9_8.x86_64.rpm SHA-256: caa9fe7e61f0cfd308aecc6f6e7e0df72e875952b7a210c673d8ddf20ad3a9f3 dotnet-sdk-dbg-10.0-10.0.108-1.el9_8.x86_64.rpm SHA-256: b99d45398d6dfd1616006706739d6a66bb3ceb32fb10aaa620e33b2c765c9807 dotnet-targeting-pack-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 6270fd161605c4525a79d1b8550eaa00ace532b11971f45d0e28573fd6617e20 dotnet-templates-10.0-10.0.108-1.el9_8.x86_64.rpm SHA-256: 6779f79e7f3dfb2f0ddcfb3427e19ad2790f4c12e39e206e0a42533eabe399d7 dotnet10.0-debuginfo-10.0.108-1.el9_8.x86_64.rpm SHA-256: ca22578ec0ee25b2a7c79a26b5ba4bcbc46136ff62d6bc7bdcba8a77e64bdf2e dotnet10.0-debugsource-10.0.108-1.el9_8.x86_64.rpm SHA-256: ab16ef3f24298b0e4786049b35c96d8d4e5b00ab82dd67e9f3824fde6e9e7c43 Red Hat Enterprise Linux for x86_64 - Extended Update Support 9.8 SRPM dotnet10.0-10.0.108-1.el9_8.src.rpm SHA-256: 966ed2a5ca9e35209314dc5dc479c42cebb8a01639e299d12da1507acec4a4aa x86_64 aspnetcore-runtime-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 99a2a801f00a54cbe9df7536d2cd1044e1bb3ec870f53e81e981f80938dc9fe5 aspnetcore-runtime-dbg-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 7eee3e652d417b5486b71fefe06cfde8d59151c5bde48545dc162ae6f195879e aspnetcore-targeting-pack-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 0db4d29a495f28fbb6f0a0a3f856748cf5de55068c7f458612d2e15d62dde5a7 dotnet-apphost-pack-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: f3399c5149583161950b4e3b8c87359f62a7346891d3e2ace386c175ed5ccbea dotnet-apphost-pack-10.0-debuginfo-10.0.8-1.el9_8.x86_64.rpm SHA-256: b5ff634547f4905e946f400c1cab9eca14d8a86360fab7775e909b7feaac656e dotnet-host-10.0.8-1.el9_8.x86_64.rpm SHA-256: 41526d5c64e5561bcae847b942bc274a05baed0559443784e8cd163f2b0b3406 dotnet-host-debuginfo-10.0.8-1.el9_8.x86_64.rpm SHA-256: 734345a42aa0dd491ab300bbd89a8c3256d67cf9d25577fb919726b9598af3e0 dotnet-hostfxr-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 5611069354005cf2bff3b226165c5a4a45004a650ac3bf43b70ca01e7c22aafa dotnet-hostfxr-10.0-debuginfo-10.0.8-1.el9_8.x86_64.rpm SHA-256: 834a17936c9b0079c9ae8d6308c262fdeef1b9ad36a95c6359ee9592cb3148bd dotnet-runtime-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 48c758f6a72230239339604262c487ce469b80e81822f69944653bacabf5d495 dotnet-runtime-10.0-debuginfo-10.0.8-1.el9_8.x86_64.rpm SHA-256: f5ef74a5d90a0469eca5fa8ec7e8d98147eac5d6066cb3ce14384f7c6e71759f dotnet-runtime-dbg-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 70c8ec270657296e0451fe9fe6c98a264bd7d1c0c14151773419dc9dd872fcff dotnet-sdk-10.0-10.0.108-1.el9_8.x86_64.rpm SHA-256: 0db5b413b7322cebef53b6d1617e143d709cb5c6a46c1722f9e98c55e0f8a187 dotnet-sdk-10.0-debuginfo-10.0.108-1.el9_8.x86_64.rpm SHA-256: 20cc2ab8ef69151e99afec0239c3b27c995bd612e51e4ea807d33b4ef24d4b15 dotnet-sdk-aot-10.0-10.0.108-1.el9_8.x86_64.rpm SHA-256: c4c6e244cc85d0d9049af1d925a166139a1c482a328ec540299987757011bddb dotnet-sdk-aot-10.0-debuginfo-10.0.108-1.el9_8.x86_64.rpm SHA-256: caa9fe7e61f0cfd308aecc6f6e7e0df72e875952b7a210c673d8ddf20ad3a9f3 dotnet-sdk-dbg-10.0-10.0.108-1.el9_8.x86_64.rpm SHA-256: b99d45398d6dfd1616006706739d6a66bb3ceb32fb10aaa620e33b2c765c9807 dotnet-targeting-pack-10.0-10.0.8-1.el9_8.x86_64.rpm SHA-256: 6270fd161605c4525a79d1b8550eaa00ace532b11971f45d0e28573fd6617e20 dotnet-templates-10.0-10.0.108-1.el9_8.x86_64.rpm SHA-256: 6779f79e7f3dfb2f0ddcfb3427e19ad2790f4c12e39e206e0a42533eabe399d7 dotnet10.0-debuginfo-10.0.108-1.el9_8.x86_64.rpm SHA-256: ca22578ec0ee25b2a7c79a26b5ba4bcbc46136ff62d6bc7bdcba8a77e64bdf2e dotnet10.0-debugsource-10.0.108-1.el9_8.x86_64.rpm SHA-256: ab16ef3f24298b0e4786049b35c96d8d4e5b00ab82dd67e9f3824fde6e9e7c43 Red Hat Enterprise Linux for IBM z Systems 9 SRPM dotnet10.0-10.0.108-1.el9_8.src.rpm SHA-256: 966ed2a5ca9e35209314dc5dc479c42cebb8a01639e299d12da1507acec4a4aa s390x aspnetcore-runtime-10.0-10.0.8-1.el9_8.s390x.rpm SHA-256: 2c48bfb4fa6be81da1fcba8500679c1728114d2d10401a66973d37bce12ec426 aspnetcore-runtime-dbg-10.0-10.0.8-1.el9_8.s390x.rpm SHA-256: 8287dfbe50447e29e9e8eb0a868b9b3d856cd94c8811ffad5323932763cd0544 aspnetcore-targeting-pack-10.0-10.0.8-1.el9_8.s390x.rpm SHA-256: dd0c671d53062a63a5161258dd6417c40e278364244665e7be5f52dc1e4fc62f dotnet-apphost-pack-10.0-10.0.8-1.el9_8.s390x.rpm SHA-256: 67ed45473194dd92de53ecde849248a805f5df52fd871e836aea6a5ccfd86792 dotnet-apphost-pack-10.0-debuginfo-10.0.8-1.el9_8.s390x.rpm SHA-256: 7607fffaa06d3cce5781fe4b25f82306483ea79aa16c39c3ea7edb8104e530e8 dotnet-host-10.0.8-1.el9_8.s390x.rpm SHA-256: 44b227f974b2a59e2ef50d62e5019f466263f476213c9b3e