Duende Software
Patch Releases: Addressing CVE-2026-26127 in Microsoft.BCL.Memory #507
maartenba
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Microsoft recently disclosed CVE-2026-26127, a high-severity DoS vulnerability in Microsoft.BCL.Memory that may surface in .NET projects as NuGet vulnerability warnings.
Because several Duende libraries depend on that package transitively, we’ve published patch releases across our library stack to pull in the fixed dependency. These are dependency-only updates with no API or behavioral changes.
To be clear: the vulnerability is in the upstream Microsoft dependency, not in Duende code. However, we believe the right thing to do is ship patches that pull in the fix so you don't have to manage the transitive dependency yourself.
If you’re using Duende.IdentityServer, BFF, IdentityModel, OidcClient, AccessTokenManagement, or related packages, we recommend updating to the latest patched versions.
Read the full post for affected packages, patched versions, and more:
https://duendesoftware.com/blog/20260313-patch-releases-addressing-cve-2026-26127-in-microsoft-bcl-memory
Beta Was this translation helpful? Give feedback.
All reactions