-
Title
.NET Runtime 8.0.18 affected by CVE-2026-26171, CVE-2026-32203, and CVE-2026-33116 -
Description
Microsoft has published three security advisories (CVE-2026-26171, CVE-2026-32203, and CVE-2026-33116) affecting the .NET 8.0 runtime up to and including version 8.0.18. All three are rated as Denial of Service vulnerabilities in the .NET runtime, and Microsoft's recommendation is to upgrade to a patched .NET 8.0.x release as soon as possible.
Password Manager relies on the .NET 8.0 runtime, and installations currently running .NET 8.0.18 (or earlier) are exposed to these vulnerabilities.
-
Resolution
To remediate these CVEs, upgrade the .NET 8.0 runtime to any 8.0.x release newer than 8.0.18 that contains the official Microsoft fixes (the patches for these specific CVEs were shipped in the April 2026 .NET 8.0 servicing update and later).
After installing the newer runtime, uninstall the affected .NET 8.0.18 runtime from the host so that the vulnerable binaries are no longer present on the system. Because .NET 8.0.x updates are minor servicing releases, upgrading within the 8.0.x branch is binary-compatible and is fully supported with Password Manager.
NOTE: Do not upgrade the .NET runtime to the 9.0.x branch. The Password Manager product team has not validated the product against .NET 9.0, and running Password Manager on .NET 9.0.x is not a supported configuration.
Customers who upgrade to 9.0.x to address these CVEs may encounter unsupported behavior and will be asked to roll back to a supported 8.0.x release before any support case can proceed.