Skip to content

Dotnet Runtime - Alpine 3.23 - Zlib Critical Vulnerability - CVE-2026-22184 #7089

New issue
New issue
Open
Task
Open
Dotnet Runtime - Alpine 3.23 - Zlib Critical Vulnerability - CVE-2026-22184#7089
Task
Assignees
lbussell
Labels
untriagedvulnerabilityReport of a known vulnerability in an image
@andrewharry

Description

@andrewharry
andrewharry
opened on Mar 16, 2026

There is a critical vulnerability in the latest versions of dotnet runtime.

Version Tested: mcr.microsoft.com/dotnet/runtime:10.0.5-alpine3.23-amd64

podman run --rm anchore/syft mcr.microsoft.com/dotnet/runtime:10.0.5-alpine3.23-amd64

Package Version Type
zlib 1.3.1-r2 apk

CVE-2026-22184 was fixed with version 1.3.2 which was released last month.

Alpine 3.23 has been patched, but it seems there is an issue with the official Microsoft dotnet images not grabbing the latest? Can we only expect this critical vulnerability to be fixed when Alpine versions?

I have addressed this manually in the dockerfile

# https://github.com/dotnet/dotnet-docker/blob/main/README.aspnet.md
ARG RUNTIME_VERSION=10.0.5-alpine3.23-amd64

# set up base image
FROM mcr.microsoft.com/dotnet/aspnet:$RUNTIME_VERSION AS base

# Force update of zlib to mitigate CVE-2026-22184
RUN apk add --no-cache --upgrade zlib

Metadata

Metadata

Assignees

Labels

untriagedvulnerabilityReport of a known vulnerability in an image

Type

Task

Projects

.NET Docker

Status

In Progress

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions