CVE-2025-26646
Publication date 13 May 2025
Last updated 26 August 2025
Ubuntu priority
Description
External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| dotnet6 | 25.10 questing | Not in release |
| 25.04 plucky | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy |
Vulnerable, fix deferred
|
|
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| dotnet7 | 25.10 questing | Not in release |
| 25.04 plucky | Not in release | |
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Ignored see notes | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| dotnet8 | 25.10 questing |
Fixed 8.0.116-8.0.16-0ubuntu1
|
| 25.04 plucky |
Fixed 8.0.116-8.0.16-0ubuntu1~25.04.1
|
|
| 24.04 LTS noble |
Fixed 8.0.116-8.0.16-0ubuntu1~24.04.1
|
|
| 22.04 LTS jammy |
Fixed 8.0.116-8.0.16-0ubuntu1~22.04.1
|
|
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release | |
| dotnet9 | 25.10 questing |
Fixed 9.0.106-9.0.5-0ubuntu1
|
| 25.04 plucky |
Fixed 9.0.106-9.0.5-0ubuntu1~25.04.1
|
|
| 24.04 LTS noble | Not in release | |
| 22.04 LTS jammy | Not in release | |
| 20.04 LTS focal | Not in release | |
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Notes
iconstantin
.NET 7 is end of life upstream.
mdeslaur
Marking .NET 6 as deferred until information is available to determine if it is impacted.
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.0 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-7509-1
- .NET vulnerability
- 16 May 2025