.NET, Visual Studio, and Build Tools for Visual Studio Spoofing Vulnerability
Description
External control of file name or path in .NET, Visual Studio, and Build Tools for Visual Studio allows an authorized attacker to perform spoofing over a network.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2025-26646 is a spoofing vulnerability in .NET, Visual Studio, and Build Tools where external control of file names or paths via the DownloadFile build task allows an authorized attacker to perform network-based spoofing.
Vulnerability
Overview
CVE-2025-26646 is a spoofing vulnerability in .NET SDK, Visual Studio, and Build Tools for Visual Studio, stemming from external control of file names or paths. The vulnerability resides in the Microsoft.Build.Tasks.Core package, specifically in the DownloadFile build task. An attacker who can influence the file name or path used by a build process can cause the system to operate on an unintended file, leading to spoofing attacks over a network [2][3].
Exploitation
Conditions
An attacker must be an authorized user or have the ability to influence a build process that uses the DownloadFile task. Projects that do not use this task are not susceptible [2][4]. The vulnerability is triggered when an attacker can control the destination file path for a download, allowing them to redirect the output to a location that may be misinterpreted by the system or user, thereby spoofing legitimate content or behavior.
Impact
Successful exploitation enables an authorized attacker to perform spoofing, which could lead to a variety of attacks including credential theft, malicious file execution, or supply-chain compromise. The vulnerability is rated with CVSS 4.0 metrics as not yet provided by NVD, but the advisory highlights the serious nature of spoofing in development and build environments [1][2].
Mitigation and
Patching
Microsoft has released patches for the affected software. Developers are advised to update to the latest .NET SDK versions (9.0.105+, 8.0.115+, etc.) and update the Microsoft.Build.Tasks.Core package to the patched versions listed in the advisory [2][3][4]. Visual Studio will prompt users to update to the patched SDKs. There is no workaround other than not using the vulnerable DownloadFile task.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Microsoft.Build.Tasks.CoreNuGet | >= 15.8.166, < 15.9.30 | 15.9.30 |
Microsoft.Build.Tasks.CoreNuGet | >= 16.0.461, < 16.11.6 | 16.11.6 |
Microsoft.Build.Tasks.CoreNuGet | >= 17.0.0, < 17.8.29 | 17.8.29 |
Microsoft.Build.Tasks.CoreNuGet | >= 17.9.5, < 17.10.29 | 17.10.29 |
Microsoft.Build.Tasks.CoreNuGet | >= 17.11.4, < 17.12.36 | 17.12.36 |
Microsoft.Build.Tasks.CoreNuGet | >= 17.12.6, < 17.13.26 | 17.13.26 |
Microsoft.Build.Tasks.CoreNuGet | >= 17.13.9, < 17.14.8 | 17.14.8 |
Affected products
85- osv-coords75 versionspkg:apk/chainguard/aspnet-8-runtimepkg:apk/chainguard/aspnet-8-runtime-defaultpkg:apk/chainguard/aspnet-8-targeting-packpkg:apk/chainguard/aspnet-9-runtimepkg:apk/chainguard/aspnet-9-runtime-defaultpkg:apk/chainguard/aspnet-9-targeting-packpkg:apk/chainguard/dotnet-8pkg:apk/chainguard/dotnet-8-runtimepkg:apk/chainguard/dotnet-8-runtime-defaultpkg:apk/chainguard/dotnet-8-sdkpkg:apk/chainguard/dotnet-8-sdk-defaultpkg:apk/chainguard/dotnet-8-targeting-packpkg:apk/chainguard/dotnet-9pkg:apk/chainguard/dotnet-9-aotpkg:apk/chainguard/dotnet-9-runtimepkg:apk/chainguard/dotnet-9-runtime-defaultpkg:apk/chainguard/dotnet-9-sdkpkg:apk/chainguard/dotnet-9-sdk-defaultpkg:apk/chainguard/dotnet-9-targeting-packpkg:apk/chainguard/dotnet-bootstrap-8pkg:apk/chainguard/netstandard-8-targeting-packpkg:apk/chainguard/netstandard-9-targeting-packpkg:apk/wolfi/aspnet-8-runtimepkg:apk/wolfi/aspnet-8-runtime-defaultpkg:apk/wolfi/aspnet-8-targeting-packpkg:apk/wolfi/aspnet-9-runtimepkg:apk/wolfi/aspnet-9-runtime-defaultpkg:apk/wolfi/aspnet-9-targeting-packpkg:apk/wolfi/dotnet-8pkg:apk/wolfi/dotnet-8-runtimepkg:apk/wolfi/dotnet-8-runtime-defaultpkg:apk/wolfi/dotnet-8-sdkpkg:apk/wolfi/dotnet-8-sdk-defaultpkg:apk/wolfi/dotnet-8-targeting-packpkg:apk/wolfi/dotnet-9pkg:apk/wolfi/dotnet-9-aotpkg:apk/wolfi/dotnet-9-runtimepkg:apk/wolfi/dotnet-9-runtime-defaultpkg:apk/wolfi/dotnet-9-sdkpkg:apk/wolfi/dotnet-9-sdk-defaultpkg:apk/wolfi/dotnet-9-targeting-packpkg:apk/wolfi/dotnet-bootstrap-8pkg:apk/wolfi/netstandard-8-targeting-packpkg:apk/wolfi/netstandard-9-targeting-packpkg:bitnami/dotnetpkg:bitnami/dotnet-sdkpkg:nuget/microsoft.build.tasks.corepkg:rpm/almalinux/aspnetcore-runtime-8.0pkg:rpm/almalinux/aspnetcore-runtime-9.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-8.0pkg:rpm/almalinux/aspnetcore-runtime-dbg-9.0pkg:rpm/almalinux/aspnetcore-targeting-pack-8.0pkg:rpm/almalinux/aspnetcore-targeting-pack-9.0pkg:rpm/almalinux/dotnetpkg:rpm/almalinux/dotnet-apphost-pack-8.0pkg:rpm/almalinux/dotnet-apphost-pack-9.0pkg:rpm/almalinux/dotnet-hostpkg:rpm/almalinux/dotnet-hostfxr-8.0pkg:rpm/almalinux/dotnet-hostfxr-9.0pkg:rpm/almalinux/dotnet-runtime-8.0pkg:rpm/almalinux/dotnet-runtime-9.0pkg:rpm/almalinux/dotnet-runtime-dbg-8.0pkg:rpm/almalinux/dotnet-runtime-dbg-9.0pkg:rpm/almalinux/dotnet-sdk-8.0pkg:rpm/almalinux/dotnet-sdk-8.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-9.0pkg:rpm/almalinux/dotnet-sdk-9.0-source-built-artifactspkg:rpm/almalinux/dotnet-sdk-aot-9.0pkg:rpm/almalinux/dotnet-sdk-dbg-8.0pkg:rpm/almalinux/dotnet-sdk-dbg-9.0pkg:rpm/almalinux/dotnet-targeting-pack-8.0pkg:rpm/almalinux/dotnet-targeting-pack-9.0pkg:rpm/almalinux/dotnet-templates-8.0pkg:rpm/almalinux/dotnet-templates-9.0pkg:rpm/almalinux/netstandard-targeting-pack-2.1
< 0+ 74 more
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 8.0.122-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: < 8.0.122-r0
- (no CPE)range: < 0
- (no CPE)range: < 0
- (no CPE)range: >= 8.0.0, < 8.0.16
- (no CPE)range: >= 8.0.0, < 8.0.101
- (no CPE)range: >= 15.8.166, < 15.9.30
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.116-1.el8_10
- (no CPE)range: < 8.0.116-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 8.0.116-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 8.0.16-1.el8_10
- (no CPE)range: < 9.0.5-1.el8_10
- (no CPE)range: < 8.0.116-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- (no CPE)range: < 9.0.106-1.el8_10
- Microsoft/Build Tools for Visual Studio 2022v5Range: 17.0
- Microsoft/Microsoft Visual Studio 2022 version 17.10v5Range: 17.10.0
- Microsoft/Microsoft Visual Studio 2022 version 17.12v5Range: 17.12.0
- Microsoft/Microsoft Visual Studio 2022 version 17.13v5Range: 17.13.0
- Microsoft/Microsoft Visual Studio 2022 version 17.8v5Range: 17.8.0
- Microsoft/.NET 8.0v5Range: 8.0.0
- Microsoft/.NET 9.0v5Range: 9.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-h4j7-5rxr-p4wcghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2025-26646ghsavendor-advisorypatchWEB
- nvd.nist.gov/vuln/detail/CVE-2025-26646ghsaADVISORY
- github.com/dotnet/announcements/issues/356ghsaWEB
- github.com/dotnet/msbuild/issues/11846ghsaWEB
- github.com/dotnet/msbuild/security/advisories/GHSA-h4j7-5rxr-p4wcghsaWEB
News mentions
0No linked articles in our index yet.