.NET Spoofing Vulnerability
Description
Improper handling of missing special element in .NET allows an unauthorized attacker to perform spoofing over a network.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Improper handling of missing special element in .NET's System.Security.Cryptography.Cose allows spoofing over network; patch available.
Vulnerability
CVE-2026-21218 is a security feature bypass vulnerability in .NET's System.Security.Cryptography.Cose library, caused by improper handling of missing special elements. This allows an attacker to craft a malicious payload that bypasses security checks, potentially leading to spoofing over a network [1].
Exploitation
An unauthorized attacker can exploit this vulnerability over a network without authentication by sending a specially crafted payload to an application that uses the affected Cose package. The vulnerability is present in .NET 8.0, 9.0, and 10.0 when the System.Security.Cryptography.Cose library is referenced [1].
Impact
Successful exploitation enables an attacker to perform spoofing attacks, potentially leading to unauthorized access or data manipulation. The attacker can impersonate legitimate entities or tamper with cryptographic messages [1].
Mitigation
Microsoft has released patched versions of the affected packages: System.Security.Cryptography.Cose 8.0.2, 9.0.13, and 10.0.3. Developers should update their NuGet packages to the latest patched versions. Applications that do not use System.Security.Cryptography.Cose are not affected [1].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
System.Security.Cryptography.CoseNuGet | >= 8.0.0, < 8.0.2 | 8.0.2 |
System.Security.Cryptography.CoseNuGet | >= 9.0.0, < 9.0.13 | 9.0.13 |
System.Security.Cryptography.CoseNuGet | >= 10.0.0, < 10.0.3 | 10.0.3 |
Affected products
3- Microsoft/.NET 10.0v5Range: 10.0.0
- Microsoft/.NET 8.0v5Range: 8.0.0
- Microsoft/.NET 9.0v5Range: 9.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qvhc-9v3j-5rfwghsaADVISORY
- msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21218ghsavendor-advisorypatchWEB
- nvd.nist.gov/vuln/detail/CVE-2026-21218ghsaADVISORY
- github.com/dotnet/runtime/security/advisories/GHSA-qvhc-9v3j-5rfwghsaWEB
News mentions
0No linked articles in our index yet.