.NET on Linux: Stop Guessing About Security Patches (A Practical Guide)

 

Running .NET 9 on Linux? Unpatched runtimes expose your servers to remote code execution. This guide shows you how to check your systems, apply the fix with a universal bash script, and block attacks with iptables if you cannot reboot today. Includes automation for Ubuntu, Rocky, and SUSE.

Updated: April 2026 – In late April 2026, Oracle released an important update for .NET 9 (SDK 9.0.116 / Runtime 9.0.15). That specific date doesn’t matter. What matters is that any unpatched .NET runtime on Linux is a reliable way to get owned.

This isn't about one CVE. It's about building a repeatable habit. Below you’ll find the exact commands to check your servers, a single script to patch across major distros, and a fallback mitigation if your next maintenance window is two weeks away.

1. How to check if you are vulnerable (right now)

Run these commands directly on your servers. Do not guess.

Ubuntu 22.04 / 24.04 (apt)

bash

# Check installed .NET packages
dpkg -l | grep dotnet

# Verify specific runtime version
dotnet --list-runtimes

# If you see 9.0.14 or lower → vulnerable

Rocky Linux 9 / AlmaLinux 9 (dnf/yum)

bash

# List .NET packages
rpm -qa | grep dotnet

# Show detailed version
dnf list installed | grep dotnet

# Vulnerable if runtime < 9.0.15 or SDK < 9.0.116

SUSE Linux Enterprise Server 15 (zypper)

bash

# Check installed dotnet packages
zypper search --installed-only dotnet

# Verify runtime version
rpm -qi dotnet-runtime-9.0 | grep Version

Quick one-liner for all distros (returns "VULNERABLE" or "OK")

bash

if dotnet --list-runtimes 2>/dev/null | grep -q "Microsoft.NETCore.App 9.0.1[0-4]"; then echo "VULNERABLE"; elif dotnet --list-runtimes 2>/dev/null | grep -q "Microsoft.NETCore.App 9.0.15"; then echo "OK"; else echo "No .NET 9 found"; fi

2. Automation script to apply the fix (bash, distro-agnostic)

Save this as patch-dotnet9.sh. It works on Ubuntu, Rocky, SUSE, and their derivatives.

bash

#!/bin/bash
# patch-dotnet9.sh - Updates .NET 9 to safe version (Runtime 9.0.15 / SDK 9.0.116)
# Run as root or with sudo

set -e

echo "Detecting OS..."
if [ -f /etc/os-release ]; then
    . /etc/os-release
    OS=$ID
else
    echo "Cannot detect OS. Exiting."
    exit 1
fi

case $OS in
    ubuntu|debian)
        echo "Using apt update..."
        apt update
        apt install -y dotnet-sdk-9.0 dotnet-runtime-9.0 aspnetcore-runtime-9.0
        ;;
    rocky|almalinux|rhel|ol)
        echo "Using dnf update..."
        dnf update -y dotnet-sdk-9.0 dotnet-runtime-9.0 aspnetcore-runtime-9.0
        ;;
    sles|opensuse-leap)
        echo "Using zypper update..."
        zypper refresh
        zypper update -y dotnet-sdk-9.0 dotnet-runtime-9.0 aspnetcore-runtime-9.0
        ;;
    *)
        echo "Unsupported OS: $OS"
        exit 1
        ;;
esac

echo "Verifying update..."
dotnet --list-runtimes
echo "Patch complete. Restart your .NET services now."

How to use:

bash

chmod +x patch-dotnet9.sh
sudo ./patch-dotnet9.sh

3. Alternative mitigation if you can't update now

You cannot postpone forever. But if you need 7–14 days (change control, customer approval, etc.), use iptables to block external access to your .NET application port except from trusted IPs.

Block all external traffic to port 5000 (default .NET) except your office/cloud proxy

bash

# Allow your office IP (change to your actual IP)
iptables -A INPUT -p tcp -s 203.0.113.55 --dport 5000 -j ACCEPT

# Allow internal Kubernetes/load balancer subnet
iptables -A INPUT -p tcp -s 10.0.0.0/8 --dport 5000 -j ACCEPT

# Drop everything else on port 5000
iptables -A INPUT -p tcp --dport 5000 -j DROP

# Save rules (distro-specific)
# Ubuntu: netfilter-persistent save
# Rocky: service iptables save
# SUSE: iptables-save > /etc/sysconfig/iptables

AppArmor temporary profile (limits what .NET can do if exploited)

bash

# Install apparmor-utils if missing
apt install apparmor-utils -y   # Ubuntu/Debian
# or zypper install apparmor-utils

# Put .NET in complain mode (logs violations but doesn't block)
aa-complain /usr/share/dotnet/dotnet

Warning: These are stopgaps. They reduce blast radius but do not fix the vulnerability. Schedule the real update.

Suggested reading:

Practical Linux Security Cookbook by Tajinder Kalsi  - Amazon

The original book I suggested was hypothetical. This one is real and proven – it has over 400 pages of actual recipes for securing Linux systems, including:

• Chapter 9: Bash Vulnerability Patching & Patch Management – Exactly what your .NET security update is about, but generalized to all Linux services

• Chapter 6: Network Security – Covers iptables, TCP Wrapper, and firewalls (your mitigation section)

• Chapter 7: Security Tools – Port Sentry, Squid Proxy, Shorewall

Why this solves the problem: 

The reader just patched .NET. Next week it'll be OpenSSL, then Apache, then Kubernetes. This book teaches the repeatable discipline of Linux patch management, not just one-off fixes.

Affiliate disclosure: As an Amazon Associate, I earn from qualifying purchases. This helps me keep writing in-depth security guides – at no extra cost to you.).