CVE-2026-21218: Microsoft Security Advisory CVE-2026-21218 | .NET Security Feature Bypass Vulnerability

February 10, 2026

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0, .NET 9.0, and .NET 10.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

An attacker could exploit this vulnerability by crafting a malicious payload that bypasses the security checks in the affected System.Security.Cryptography.Cose versions, potentially leading to unauthorized access or data manipulation.

References

github.com/advisories/GHSA-qvhc-9v3j-5rfw
github.com/dotnet/runtime
github.com/dotnet/runtime/security/advisories/GHSA-qvhc-9v3j-5rfw
msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21218
nvd.nist.gov/vuln/detail/CVE-2026-21218

Code Behaviors & Features

Detect and mitigate CVE-2026-21218 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →