Bump Microsoft.Bcl.Memory to 10.0.5 to fix CVE-2026-26127 (#15410)

mitchdenny · Mitch Denny · Copilot · web-flow · commit 28cfffedec2b · 2026-03-20T10:36:02.000+11:00
* Bump Microsoft.Bcl.Memory to 10.0.5 to fix CVE-2026-26127 Microsoft.Bcl.Memory 10.0.0 has a known high severity vulnerability (GHSA-73j8-2gch-69rq) - a denial of service via out-of-bounds read when decoding malformed Base64Url input. Update to 10.0.5 which includes the fix. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> * PR feedback --------- Co-authored-by: Mitch Denny <mitch@mitchdeny.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Co-authored-by: Eric Erhardt <eric.erhardt@microsoft.com>
diff --git a/Directory.Packages.props b/Directory.Packages.props
@@ -198,6 +198,7 @@
     <PackageVersion Include="Microsoft.Extensions.ServiceDiscovery.Yarp" Version="$(MicrosoftExtensionsServiceDiscoveryYarpVersion)" />
     <PackageVersion Include="Microsoft.Extensions.TimeProvider.Testing" Version="$(MicrosoftExtensionsTimeProviderTestingVersion)" />
     <!-- Runtime dependencies ** Common between all TFMs because other dependencies (like Azure.Core) are lifting to the latest versions, so we need to as well ** -->
+    <PackageVersion Include="Microsoft.Bcl.Memory" Version="$(MicrosoftBclMemoryPreviewVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Hosting.Abstractions" Version="$(MicrosoftExtensionsHostingAbstractionsPreviewVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Hosting" Version="$(MicrosoftExtensionsHostingPreviewVersion)" />
     <PackageVersion Include="Microsoft.Extensions.Configuration.Abstractions" Version="$(MicrosoftExtensionsConfigurationAbstractionsPreviewVersion)" />
diff --git a/eng/Versions.props b/eng/Versions.props
@@ -81,6 +81,7 @@
     <MicrosoftExtensionsFeaturesPreviewVersion>10.0.5</MicrosoftExtensionsFeaturesPreviewVersion>
     <MicrosoftAspNetCoreSignalRClientPreviewVersion>10.0.5</MicrosoftAspNetCoreSignalRClientPreviewVersion>
     <!-- Runtime -->
+    <MicrosoftBclMemoryPreviewVersion>10.0.5</MicrosoftBclMemoryPreviewVersion>
     <MicrosoftExtensionsHostingAbstractionsPreviewVersion>10.0.5</MicrosoftExtensionsHostingAbstractionsPreviewVersion>
     <MicrosoftExtensionsHostingPreviewVersion>10.0.5</MicrosoftExtensionsHostingPreviewVersion>
     <MicrosoftExtensionsCachingMemoryPreviewVersion>10.0.5</MicrosoftExtensionsCachingMemoryPreviewVersion>
diff --git a/src/Aspire.Hosting.Foundry/Aspire.Hosting.Foundry.csproj b/src/Aspire.Hosting.Foundry/Aspire.Hosting.Foundry.csproj
@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+﻿<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFramework>$(DefaultTargetFramework)</TargetFramework>
@@ -35,7 +35,7 @@
     <PackageReference Include="Azure.Provisioning.CognitiveServices" />
     <PackageReference Include="Azure.Provisioning.ContainerRegistry" />
     <PackageReference Include="Microsoft.AI.Foundry.Local" />
-    <PackageReference Include="Microsoft.Bcl.Memory" VersionOverride="10.0.0" />
+    <PackageReference Include="Microsoft.Bcl.Memory" />
   </ItemGroup>
 
 </Project>
