Bug 2365317 (CVE-2025-26646)

Summary: CVE-2025-26646 dotnet: .NET and Visual Studio Spoofing Vulnerability
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in .NET and Visual Studio. This vulnerability allows an attacker to use specially crafted input to spoof trusted content or identities, potentially misleading users or systems. This issue requires user interaction and limited privileges but can lead to unauthorized actions or escalation due to incorrect identity or content validation handling.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-05-09 12:03:16 UTC 
This vulnerability allows an authenticated attacker with limited privileges to spoof or impersonate content or identities within affected .NET and Visual Studio applications, potentially leading to privilege escalation or misinformation.

Affected versions:
.NET 8.0
.NET 9.0
Comment 1 Sandipan Roy 2025-05-14 03:06:02 UTC 
CVE is now Public via https://github.com/dotnet/announcements/issues/356
Comment 2 errata-xmlrpc 2025-05-14 09:12:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:7571 https://access.redhat.com/errata/RHSA-2025:7571
Comment 3 errata-xmlrpc 2025-05-14 11:40:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:7589 https://access.redhat.com/errata/RHSA-2025:7589
Comment 4 errata-xmlrpc 2025-05-14 13:59:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7599 https://access.redhat.com/errata/RHSA-2025:7599
Comment 5 errata-xmlrpc 2025-05-14 14:02:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:7601 https://access.redhat.com/errata/RHSA-2025:7601
Comment 6 errata-xmlrpc 2025-05-14 14:17:02 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7598 https://access.redhat.com/errata/RHSA-2025:7598
Comment 7 errata-xmlrpc 2025-05-14 14:39:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:7603 https://access.redhat.com/errata/RHSA-2025:7603
Comment 8 errata-xmlrpc 2025-05-14 14:45:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7600 https://access.redhat.com/errata/RHSA-2025:7600