CVE-2025-26682

Publication date 8 April 2025

Last updated 9 April 2025

Ubuntu priority

Cvss 3 Severity Score

Allocation of resources without limits or throttling in ASP.NET Core allows an unauthorized attacker to deny service over a network.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
dotnet6	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Vulnerable, fix deferred
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
dotnet7	24.10 oracular	Not in release
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Ignored see notes
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
dotnet8	24.10 oracular	Fixed 8.0.115-8.0.15-0ubuntu1~24.10.1
	24.04 LTS noble	Fixed 8.0.115-8.0.15-0ubuntu1~24.04.1
	22.04 LTS jammy	Fixed 8.0.115-8.0.15-0ubuntu1~22.04.1
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
dotnet9	24.10 oracular	Fixed 9.0.105-9.0.4-0ubuntu1~24.10.1
	24.04 LTS noble	Not in release
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release

Notes

iconstantin

.NET 7 was an interim release and is end of life upstream, it will not be receiving security updates. Marking .NET 6 as deferred until information is available to determine if it is impacted.

Severity score breakdown

Parameter	Value
Base score	7.5 · High
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	None
Integrity impact	None
Availability impact	High
Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H