Update .NET SDK to 10.0.103 (CVE-2026-21218)

[techjoec]

Summary

.NET SDK 10.0.103 was released February 10, 2026 with a security fix. The project currently runs on 10.0.101 (latest in Ubuntu 24.04 noble-updates).

Security Fix

CVE-2026-21218 (CVSS 7.5 HIGH): Security feature bypass in System.Security.Cryptography.Cose. An attacker can craft a malicious payload that bypasses COSE signature verification. Classified as CWE-166 (improper handling of missing special element). No known exploitation.

Affects .NET 8.0 (<8.0.24), 9.0 (<9.0.13), and 10.0 (<10.0.3).

Current State

• global.json: pins 10.0.101 with rollForward: latestPatch
• Installed SDK: 10.0.101 (latest available in Ubuntu noble-updates)
• The latestPatch policy will auto-use 10.0.103 once installed — no code change needed

Action Required

Once Canonical publishes 10.0.103 to the Ubuntu feed:

sudo apt-get update && sudo apt-get install -y dotnet-sdk-10.0
dotnet --list-sdks  # verify 10.0.103

Optionally bump global.json pin to 10.0.103 afterward to document the minimum.

References

• .NET 10.0.3 release notes
• February 2026 servicing updates

[techjoec]

Status check (2026-02-14): SDK 10.0.103 is not yet available in the Ubuntu noble-updates feed.

Installed SDKs:
8.0.122
9.0.113
10.0.101

The existing rollForward: latestPatch policy in global.json means no code change is needed — the patched SDK will be picked up automatically once installed. Leaving this open until the package lands and we can verify.