.NET: Update system package dependencies for CVE-2026-26127 by rogerbarreto · Pull Request #13656 · microsoft/semantic-kernel

rogerbarreto · 2026-03-13T11:51:23Z

Summary

Update NuGet package dependencies to address CVE-2026-26127, a high severity denial of service vulnerability caused by an out of bounds read during malformed Base64Url decoding.

This mirrors the fix applied in Agent Framework PR #4647.

Package Updates (Directory.Packages.props)

Package	Old Version	New Version
Microsoft.Bcl.Memory	10.0.2	10.0.4
Microsoft.Bcl.AsyncInterfaces	10.0.3	10.0.4
System.Linq.AsyncEnumerable	10.0.2	10.0.4

Transitive Vulnerability Fix

Added direct PackageReference to Microsoft.Bcl.Memory in 3 projects that transitively pulled in the vulnerable 9.0.4 version via Microsoft.ML.Tokenizers.Data.Cl100kBase. The direct reference forces NuGet to resolve the centrally managed 10.0.4 version instead.

Affected projects:

SemanticKernel.UnitTests
IntegrationTests
Concepts (sample)

Validation

dotnet restore completes with zero vulnerability warnings
dotnet build succeeds with zero errors

Update NuGet package dependencies to address CVE-2026-26127 (DoS via out of bounds read in Base64Url decoding). Package updates in Directory.Packages.props: - Microsoft.Bcl.Memory: 10.0.2 -> 10.0.4 - Microsoft.Bcl.AsyncInterfaces: 10.0.3 -> 10.0.4 - System.Linq.AsyncEnumerable: 10.0.2 -> 10.0.4 Add direct PackageReference to Microsoft.Bcl.Memory in projects that transitively pulled in the vulnerable 9.0.4 version via Microsoft.ML.Tokenizers.Data.Cl100kBase: - SemanticKernel.UnitTests - IntegrationTests - Concepts (sample)

rogerbarreto · 2026-03-18T17:40:24Z

Integration Tests failing are unrelated to the PR changes.

xUnit.net 00:07:08.73]     SemanticKernel.IntegrationTests.Connectors.AzureOpenAI.AzureOpenAITextToImageTests.GetImageContentsCanReturnImageUrlAsync [FAIL]
[xUnit.net 00:07:08.73]       System.NullReferenceException : Object reference not set to an instance of an object.
[xUnit.net 00:07:08.73]       Stack Trace:
[xUnit.net 00:07:08.74]         /home/runner/work/semantic-kernel/semantic-kernel/dotnet/src/IntegrationTests/Connectors/AzureOpenAI/AzureOpenAITextToImageTests.cs(73,0): at SemanticKernel.IntegrationTests.Connectors.AzureOpenAI.AzureOpenAITextToImageTests.GetImageContentsCanReturnImageUrlAsync()
[xUnit.net 00:07:08.74]         --- End of stack trace from previous location ---
  Failed SemanticKernel.IntegrationTests.Connectors.AzureOpenAI.AzureOpenAITextToImageTests.GetImageContentsCanReturnImageUrlAsync [31 s]
  Error Message:
   System.NullReferenceException : Object reference not set to an instance of an object.
  Stack Trace:
     at SemanticKernel.IntegrationTests.Connectors.AzureOpenAI.AzureOpenAITextToImageTests.GetImageContentsCanReturnImageUrlAsync() in /home/runner/work/semantic-kernel/semantic-kernel/dotnet/src/IntegrationTests/Connectors/AzureOpenAI/AzureOpenAITextToImageTests.cs:line 73
--- End of stack trace from previous location ---
[xUnit.net 00:07:08.74]     SemanticKernel.IntegrationTests.Connectors.AzureOpenAI.AzureOpenAITextToImageTests.ItCanReturnImageUrlAsync [SKIP]
[xUnit.net 00:07:08.74]       This test is for manual verification.
  Skipped SemanticKernel.IntegrationTests.Connectors.AzureOpenAI.AzureOpenAITextToImageTests.ItCanReturnImageUrlAsync [1 ms]
[xUnit.net 00:07:49.69]     SemanticKernel.IntegrationTests.Connectors.AzureOpenAI.AzureOpenAITextToImageTests.SemanticKernelVersionHeaderIsSentAsync [FAIL]
[xUnit.net 00:07:49.69]       System.NullReferenceException : Object reference not set to an instance of an object.
[xUnit.net 00:07:49.69]       Stack Trace:
[xUnit.net 00:07:49.69]         /home/runner/work/semantic-kernel/semantic-kernel/dotnet/src/IntegrationTests/Connectors/AzureOpenAI/AzureOpenAITextToImageTests.cs(103,0): at SemanticKernel.IntegrationTests.Connectors.AzureOpenAI.AzureOpenAITextToImageTests.SemanticKernelVersionHeaderIsSentAsync()
[xUnit.net 00:07:49.69]         --- End of stack trace from previous location ---
  Failed SemanticKernel.IntegrationTests.Connectors.AzureOpenAI.AzureOpenAITextToImageTests.SemanticKernelVersionHeaderIsSentAsync [40 s]
  Error Message:
   System.NullReferenceException : Object reference not set to an instance of an object.
  Stack Trace:

rogerbarreto requested a review from a team as a code owner March 13, 2026 11:51

rogerbarreto temporarily deployed to integration March 13, 2026 11:51 — with GitHub Actions Inactive

SergeyMenshykh approved these changes Mar 13, 2026

View reviewed changes

westey-m approved these changes Mar 13, 2026

View reviewed changes

rogerbarreto added this pull request to the merge queue Mar 13, 2026

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 13, 2026

peibekwe approved these changes Mar 13, 2026

View reviewed changes

rogerbarreto added this pull request to the merge queue Mar 18, 2026

github-merge-queue bot removed this pull request from the merge queue due to failed status checks Mar 18, 2026

rogerbarreto merged commit c294584 into microsoft:main Mar 18, 2026
18 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

.NET: Update system package dependencies for CVE-2026-26127#13656

.NET: Update system package dependencies for CVE-2026-26127#13656
rogerbarreto merged 1 commit intomicrosoft:mainfrom
rogerbarreto:issues/vulnerable-sk-packages

rogerbarreto commented Mar 13, 2026

Uh oh!

Uh oh!

Uh oh!

rogerbarreto commented Mar 18, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

rogerbarreto commented Mar 13, 2026

Summary

Package Updates (Directory.Packages.props)

Transitive Vulnerability Fix

Validation

Uh oh!

Uh oh!

Uh oh!

rogerbarreto commented Mar 18, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants