Unfixable LOW severity vulnerabilities in `mcr.microsoft.com/dotnet/sdk:10.0.202-alpine3.23-amd64`

[Sbhatt2910]

Summary

During container vulnerability scanning of our alpine/dotnet/sdk/10 base image (built on mcr.microsoft.com/dotnet/sdk:10.0.202-alpine3.23-amd64), the following LOW severity vulnerabilities were detected. These exist in the upstream MCR image itself and cannot be remediated via Dockerfile changes.

Affected Image

mcr.microsoft.com/dotnet/sdk:10.0.202-alpine3.23-amd64

Vulnerabilities

Vulnerability ID | Severity | Package | Installed Version | Fixed Version -- | -- | -- | -- | -- GHSA-g4vj-cjjj-v7hg | LOW | NuGet.Packaging | 7.3.1-rc.18118 | 4.9.7, 5.11.7, 6.8.2, 6.11.2, 6.12.5, 6.14.3, 7.0.3, 7.3.1 GHSA-g4vj-cjjj-v7hg | LOW | NuGet.Protocol | 7.3.1-rc.18118 | 4.9.7, 5.11.7, 6.8.2, 6.11.2, 6.12.5, 6.14.3, 7.0.3, 7.3.1 CVE-2026-26171 | LOW | System.Security.Cryptography.Xml | 10.0.5 | 10.0.6, 9.0.15, 8.0.3 CVE-2026-33116 | LOW | System.Security.Cryptography.Xml | 10.0.5 | 10.0.6, 9.0.15, 8.0.3

Note: The scanner reports NuGet.Packaging and NuGet.Protocol multiple times (6 instances each) due to multiple copies of the deps.json found in different SDK paths within the image. They all refer to the same underlying package version 7.3.1-rc.18118.

Root Cause

NuGet (GHSA-g4vj-cjjj-v7hg): The SDK 10.0.202 bundles NuGet 7.3.1-rc.18118 (a release candidate). The fix requires NuGet 7.3.1 stable. This RC version was included in the SDK before the stable NuGet release was available. No Dockerfile workaround exists — it is baked into the SDK binary.

System.Security.Cryptography.Xml (CVE-2026-26171 / CVE-2026-33116): The SDK ships its own copy of System.Security.Cryptography.Xml 10.0.5 as part of its NuGet tooling layer, separate from the ASP.NET runtime. Even though the SDK base image (aspnet:10.0.6) contains the patched runtime, the SDK layer bundles its own older copy. This cannot be patched via apk upgrade.

Impact

• Build-time only — these vulnerabilities exist in the SDK image used to compile applications, not in the deployed runtime.
• The deployed runtime image (alpine/dotnet/aspnet/10) is based on mcr.microsoft.com/dotnet/aspnet:10.0.6-alpine3.23-amd64 and is not affected.
• Severity is LOW for all findings.

Requested Fix

Please release an updated SDK image (10.0.203 or a re-tagged 10.0.202) that ships:

• NuGet 7.3.1 stable (replacing 7.3.1-rc.18118)
• System.Security.Cryptography.Xml 10.0.6

References

• GHSA-g4vj-cjjj-v7hg
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26171
• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33116
• Upstream SDK Dockerfile: https://github.com/dotnet/dotnet-docker/blob/main/src/sdk/10.0/alpine3.23/amd64/Dockerfile

[lbussell]

@Sbhatt2910, which vulnerability scanner did you use to find this?

[hoerup]

If i scan sdk mcr.microsoft.com/dotnet/sdk:10.0.203-alpine3.23 with trivy it complains about System.Security.Cryptography.Xml reference in usr/share/powershell/.store/powershell.linux.alpine/7.6.0/powershell.linux.alpine/7.6.0/tools/net10.0/any/pwsh.deps.json

Seems to be fixable if you utilize powershell 7.6.1

[lbussell]

@hoerup We deploy PowerShell as framework-dependent, so it does not carry a copy of System.Security.Cryptography.Xml version 10.0.5. If you search the filesystem inside the image, you'll find the 10.0.7 versions:

/usr/share/dotnet/shared/Microsoft.AspNetCore.App/10.0.7/System.Security.Cryptography.Xml.dll
/usr/share/dotnet/packs/Microsoft.AspNetCore.App.Ref/10.0.7/ref/net10.0/System.Security.Cryptography.Xml.dll
/usr/share/dotnet/sdk/10.0.203/System.Security.Cryptography.Xml.dll
/usr/share/dotnet/sdk/10.0.203/FSharp/System.Security.Cryptography.Xml.dll

Scanners that read from *.deps.json are prone to false positives. This is tracked by #5325.
Either way, we will ship the new PowerShell versions in the May servicing releases of .NET.