Skip to content

[Feature]: Base image mcr.microsoft.com/azure-powershell:ubuntu-24.04 ships vulnerable .NET runtime (CVE-2026-42899) #29633

Open
Open
[Feature]: Base image mcr.microsoft.com/azure-powershell:ubuntu-24.04 ships vulnerable .NET runtime (CVE-2026-42899)#29633
Labels
Security-Issuecustomer-reportedfeature-requestThis issue requires a new behavior in the product in order be resolved.
@fkucukkaraict

Description

@fkucukkaraict
fkucukkaraict
opened on May 19, 2026

Description of the new feature

Summary

The mcr.microsoft.com/azure-powershell:ubuntu-24.04 base image bundles a .NET runtime version affected by CVE-2026-42899 (CVSS 7.5 HIGH). A new image with .NET ≥ 9.0.16 is needed to remediate the vulnerability.

CVE Details

Field Value
CVE ID CVE-2026-42899
Severity 7.5 HIGH (CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Weakness CWE-835 – Loop with Unreachable Exit Condition (Infinite Loop)
Description ASP.NET Core allows an unauthenticated remote attacker to deny service over a network
Affected versions .NET 9.x < 9.0.16
Fixed in .NET 9.0.16
Microsoft Advisory https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-42899

Affected Image

Proposed implementation details (optional)

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Security-Issuecustomer-reportedfeature-requestThis issue requires a new behavior in the product in order be resolved.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions