dotnet · Microsoft.AspNetCore.App.Runtime.linux-x64Critical

Microsoft.AspNetCore.App.Runtime.linux-x64 Denial of Service via MessagePack Hub Protocol

A denial of service vulnerability in the MessagePack hub protocol used by SignalR and Blazor Server.

16 Jun 2026Read 1 minSeverity: act now

What changed

A denial of service vulnerability in the MessagePack hub protocol used by SignalR and Blazor Server. Deeply-nested MessagePack arrays can cause a stack overflow, leading to denial of service.

Who it affects

Applications using Microsoft.AspNetCore.App.Runtime.linux-x64 versions >= 10.0.0, <= 10.0.8; >= 9.0.0, <= 9.0.16; >= 8.0.0, <= 8.0.27, and Microsoft.AspNetCore.SignalR.Protocols.MessagePack packages in those ranges.

What to do today

Update Microsoft.AspNetCore.App.Runtime.linux-x64 to version 10.0.9, 9.0.17, or 8.0.28, and update Microsoft.AspNetCore.SignalR.Protocols.MessagePack to the corresponding patched version.

The trail

Collected→ Audited→ Written→ Published

Source

GitHub Advisory · Microsoft.AspNetCore.App.Runtime.linux-x64

Microsoft.AspNetCore.App.Runtime.linux-x64 Denial of Service via MessagePack Hub Protocol

What changed

Who it affects

What to do today

More on Microsoft.AspNetCore.App.Runtime.linux-x64

dotnet/aspire v13.4.4-release: DCP reconnection and ExcludeFromMcp() fixes

MessagePack for .NET: LZ4 decompression out-of-bounds read vulnerability