Describe the issue
The current Linux/amd64 image for mcr.microsoft.com/dotnet/aspnet:10.0 / mcr.microsoft.com/dotnet/aspnet:10.0.8-noble still contains Ubuntu Noble packages that are being reported by AWS Inspector/ECR vulnerability scanning as Critical/High GnuTLS findings.
I understand from the .NET Docker vulnerability workflow that distro package findings are usually handled by the base distro/image update process. I am filing this because the Ubuntu security notice appears to have fixed versions available for at least the GnuTLS issues, while the current published aspnet:10.0 Noble image still contains the previous package version.
Affected image
- Image:
mcr.microsoft.com/dotnet/aspnet:10.0.8-noble
- Same Linux/amd64 manifest as
mcr.microsoft.com/dotnet/aspnet:10.0 at the time I checked
- Linux/amd64 manifest digest:
sha256:a7f704b4b87284c80df9b90ab0e06810a241785204dc191ec05f2b26b5847623
- OS inside image: Ubuntu 24.04.4 LTS (Noble Numbat)
Package versions observed in the image
Extracted from /var/lib/dpkg/status in the published image layers:
libgnutls30t64 3.8.3-1.1ubuntu3.5
libgcrypt20 1.10.3-2build1
liblzma5 5.6.1+really5.4.5-1ubuntu0.2
libicu74 74.2-1ubuntu3.1
tzdata 2026a-0ubuntu0.24.04.1
Example findings reported against libgnutls30t64:3.8.3-1.1ubuntu3.5 / source package gnutls28:3.8.3-1.1ubuntu3.5 include:
CVE-2026-42010 (Critical)CVE-2026-33845 (Critical)CVE-2026-5260 (High)CVE-2026-33846 (High)CVE-2026-42013 (High)CVE-2026-42009 (High)CVE-2026-42012 (High)CVE-2026-3833 (High)CVE-2026-42011 (High)CVE-2026-42015 (Medium)CVE-2026-3832 (Low)CVE-2026-5419 (Low)
Ubuntu notice/reference:
USN-8284-1 lists gnutls28 fixed in Ubuntu 24.04 LTS (Noble) as 3.8.3-1.1ubuntu3.6, but the current aspnet:10.0.8-noble image still has 3.8.3-1.1ubuntu3.5.
Chiseled image comparison
I also checked mcr.microsoft.com/dotnet/aspnet:10.0.8-noble-chiseled-extra on Linux/amd64:
- Manifest digest:
sha256:d3552fc1bd9b5195f6a397a547975fa1dbfb21870b4710f929eaa9adc5ceee42
- OS: Ubuntu 24.04.4 LTS
- It contains
tzdata and libicu74, but I did not find libgnutls30t64, gnutls28, libgcrypt20, xz-utils, or liblzma5 in /var/lib/dpkg/status.
That image is a workable mitigation for apps that can use chiseled images, but some users may still expect the non-chiseled Noble image to receive the Ubuntu security update.
Expected behavior
A refreshed mcr.microsoft.com/dotnet/aspnet:10.0 / 10.0.8-noble image should include the Noble security update for GnuTLS, or the docs/vulnerability workflow should clarify whether users should switch to 10.0-noble-chiseled-extra or a custom ContainerBaseImage until the base image refresh happens.
Repro / verification
I verified without Docker daemon by pulling the Linux/amd64 manifest and extracting the published image layers from MCR, then reading /var/lib/dpkg/status.
Equivalent check once pulled locally:
docker run --rm mcr.microsoft.com/dotnet/aspnet:10.0.8-noble \
dpkg-query -W libgnutls30t64 libgcrypt20 liblzma5 tzdata
Configuration
- Architecture checked: linux/amd64
- Image family: ASP.NET Core runtime image
- Tags checked:
10.0, 10.0.8-noble, 10.0.8-noble-chiseled-extra
Describe the issue
The current Linux/amd64 image for
mcr.microsoft.com/dotnet/aspnet:10.0/mcr.microsoft.com/dotnet/aspnet:10.0.8-noblestill contains Ubuntu Noble packages that are being reported by AWS Inspector/ECR vulnerability scanning as Critical/High GnuTLS findings.I understand from the .NET Docker vulnerability workflow that distro package findings are usually handled by the base distro/image update process. I am filing this because the Ubuntu security notice appears to have fixed versions available for at least the GnuTLS issues, while the current published
aspnet:10.0Noble image still contains the previous package version.Affected image
mcr.microsoft.com/dotnet/aspnet:10.0.8-noblemcr.microsoft.com/dotnet/aspnet:10.0at the time I checkedsha256:a7f704b4b87284c80df9b90ab0e06810a241785204dc191ec05f2b26b5847623Package versions observed in the image
Extracted from
/var/lib/dpkg/statusin the published image layers:Example findings reported against
libgnutls30t64:3.8.3-1.1ubuntu3.5/ source packagegnutls28:3.8.3-1.1ubuntu3.5include:CVE-2026-42010(Critical)CVE-2026-33845(Critical)CVE-2026-5260(High)CVE-2026-33846(High)CVE-2026-42013(High)CVE-2026-42009(High)CVE-2026-42012(High)CVE-2026-3833(High)CVE-2026-42011(High)CVE-2026-42015(Medium)CVE-2026-3832(Low)CVE-2026-5419(Low)Ubuntu notice/reference:
USN-8284-1 lists
gnutls28fixed in Ubuntu 24.04 LTS (Noble) as3.8.3-1.1ubuntu3.6, but the currentaspnet:10.0.8-nobleimage still has3.8.3-1.1ubuntu3.5.Chiseled image comparison
I also checked
mcr.microsoft.com/dotnet/aspnet:10.0.8-noble-chiseled-extraon Linux/amd64:sha256:d3552fc1bd9b5195f6a397a547975fa1dbfb21870b4710f929eaa9adc5ceee42tzdataandlibicu74, but I did not findlibgnutls30t64,gnutls28,libgcrypt20,xz-utils, orliblzma5in/var/lib/dpkg/status.That image is a workable mitigation for apps that can use chiseled images, but some users may still expect the non-chiseled Noble image to receive the Ubuntu security update.
Expected behavior
A refreshed
mcr.microsoft.com/dotnet/aspnet:10.0/10.0.8-nobleimage should include the Noble security update for GnuTLS, or the docs/vulnerability workflow should clarify whether users should switch to10.0-noble-chiseled-extraor a customContainerBaseImageuntil the base image refresh happens.Repro / verification
I verified without Docker daemon by pulling the Linux/amd64 manifest and extracting the published image layers from MCR, then reading
/var/lib/dpkg/status.Equivalent check once pulled locally:
Configuration
10.0,10.0.8-noble,10.0.8-noble-chiseled-extra