DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-21218: The Null Identity: Spoofing .NET COSE Signatures via CBOR Indefinite Lengths

#security #cve #cybersecurity

The Null Identity: Spoofing .NET COSE Signatures via CBOR Indefinite Lengths

Vulnerability ID: CVE-2026-21218
CVSS Score: 7.5
Published: 2026-02-10

A critical logic error in the Microsoft .NET 'System.Security.Cryptography.Cose' library allows attackers to bypass signature verification. By utilizing CBOR indefinite-length encoding, an attacker can trick the parser into skipping the Protected Header bucket entirely. This results in the acceptance of spoofed messages because critical security parameters—like the signature algorithm—are never validated.

TL;DR

The .NET COSE parser fails to handle CBOR 'indefinite-length' maps correctly. A loop condition comparing an integer to null evaluates to false, causing the parser to skip validating the message headers. This allows attackers to forge signatures and spoof identities.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-166
  • Attack Vector: Network
  • CVSS Score: 7.5 (High)
  • Impact: Integrity Loss (Spoofing)
  • Root Cause: Logic error in indefinite-length CBOR parsing
  • Exploit Status: Plausible / Trivial Logic

Affected Systems

  • Microsoft .NET 8.0
  • Microsoft .NET 9.0
  • Microsoft .NET 10.0
  • System.Security.Cryptography.Cose Library
  • .NET 8.0: < 8.0.24 (Fixed in: 8.0.24)
  • .NET 9.0: < 9.0.13 (Fixed in: 9.0.13)
  • .NET 10.0: < 10.0.3 (Fixed in: 10.0.3)

Code Analysis

Commit: 6abb139

Fix CoseMessage to correctly handle indefinite-length maps by switching to state-based parsing.

- for (int i = 0; i < length; i++)
+ while (true) { CborReaderState state = reader.PeekState(); if (state == CborReaderState.EndMap) ... }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • Research Analysis: Constructing a COSE message with CBOR indefinite-length protected headers (0xBF ... 0xFF) triggers the logic bypass.

Mitigation Strategies

  • Update .NET Runtime to the latest patch level.
  • Update System.Security.Cryptography.Cose NuGet package.
  • Implement ingress filtering to reject Indefinite-Length CBOR (0xBF/0x9F) if strictly Canonical CBOR is expected.

Remediation Steps:

  1. Identify all servers and containers running .NET 8, 9, or 10.
  2. Check the version of System.Security.Cryptography.Cose in your dependency tree.
  3. Apply the official Microsoft patch or redeploy with the updated runtime images.
  4. Restart affected services.

References

Read the full report for CVE-2026-21218 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)