May 2026 Servicing Releases: .NET and .NET Framework Security Updates
Overview
In May 2026, Microsoft rolled out its combined servicing updates for both .NET and .NET Framework. These updates, available as of May 12, 2026, address critical security vulnerabilities and deliver important non-security fixes. This article provides a comprehensive breakdown of what's new, the resolved CVEs, and guidance for updating your environments. Whether you're using .NET 10, 9, 8, or .NET Framework 3.5 through 4.8.1, these releases are essential for maintaining a secure and stable platform.
Security Enhancements
Four significant security vulnerabilities have been patched in this update. Two Elevation of Privilege vulnerabilities (CVE-2026-32177 and CVE-2026-35433), one Tampering vulnerability (CVE-2026-32175), and one Denial of Service vulnerability (CVE-2026-42899) are now resolved. Below is a detailed look at each.
CVE-2026-32177: .NET Elevation of Privilege Vulnerability
This flaw affects .NET 10.0, 9.0, 8.0 and multiple .NET Framework versions (3.5, 4.6.2, 4.7, 4.7.2, 4.8, 4.8.1). An attacker could exploit this to gain elevated privileges on affected systems. The update mitigates this by enforcing stricter permission checks. Update immediately to protect against potential privilege escalation.
CVE-2026-35433: .NET Elevation of Privilege Vulnerability
Another Elevation of Privilege vulnerability, but this one impacts only .NET 10.0, 9.0, and 8.0 (not .NET Framework). It shares similar risks and is addressed through enhanced validation logic. Ensure you have the latest runtime or SDK installed.
CVE-2026-32175: .NET Tampering Vulnerability
A Tampering vulnerability that could allow an attacker to modify application data or code. This affects .NET 10.0, 9.0, and 8.0. The fix implements tamper-resistant mechanisms. Source integrity is critical—update to prevent unauthorized changes.
CVE-2026-42899: .NET Denial of Service Vulnerability
A Denial of Service (DoS) vulnerability that could cause applications to crash or become unresponsive. It targets .NET 10.0, 9.0, and 8.0. Patching is straightforward and recommended for all production workloads.
Release Highlights
This month's servicing releases bring the following version numbers:
- .NET 10.0.8 – includes ASP.NET Core 10.0.8, Entity Framework Core 10.0.8, and Runtime 10.0.8.
- .NET 9.0.16 – runtime version 9.0.16.
- .NET 8.0.27 – runtime version 8.0.27.
Each release comes with its own release notes, installers, binaries, container images, Linux packages, and known issues documentation. Refer to the links in the table below for direct access.
Release Resources Table
| Component | .NET 10.0 | .NET 9.0 | .NET 8.0 |
|---|---|---|---|
| Release Notes | 10.0.8 | 9.0.16 | 8.0.27 |
| Installers/Binaries | 10.0.8 | 9.0.16 | 8.0.27 |
| Container Images | images | images | images |
| Linux Packages | 10.0 | 9.0 | 8.0 |
| Known Issues | 10.0 | 9.0 | 8.0 |
.NET Framework May 2026 Updates
In addition to .NET, the .NET Framework received both security and non-security updates this month. These updates cover versions 3.5, 4.6.2, 4.7, 4.7.2, 4.8, and 4.8.1. The fixes address the CVE-2026-32177 vulnerability (Elevation of Privilege) as well as other reliability improvements. For a complete list, browse the official .NET Framework release notes on the Microsoft documentation site.
How to Update
To apply these updates, use your standard update channels:
- Windows Update – for .NET Framework and .NET Desktop Runtime.
- Package Managers – like Winget, NuGet, or Linux package managers for .NET SDKs and runtimes.
- Container Images – pull updated images from Microsoft Artifact Registry.
- Direct Downloads – from the official .NET download page.
After updating, verify your environment version and test critical applications. See the known issues links for any potential regressions.
Conclusion
The May 2026 servicing releases for .NET and .NET Framework provide essential security patches and stability fixes. With four CVEs resolved—including two Elevation of Privilege, one Tampering, and one DoS—it's vital to update as soon as possible. Microsoft encourages all users to apply the latest updates to keep their applications secure and performant. For feedback, visit the Release feedback issue. See you next month with more updates!
Last updated: May 12, 2026
Related Articles
- Canvas Cyberattack Highlights Persistent Cybersecurity Gaps in Education
- 10 Critical Insights Into Linux's Proposed Vulnerability Kill Switch
- 8 Critical Facts About the OceanLotus PyPI Attack and ZiChatBot Malware
- Defending Against Hypersonic Supply Chain Attacks: A Step-by-Step Guide to Stopping Unknown Payloads
- How to Identify and Mitigate CVE-2026-0300: PAN-OS Captive Portal Buffer Overflow Vulnerability
- Understanding the YellowKey and GreenPlasma BitLocker Bypass Vulnerabilities: Q&A
- How Microsoft Shut Down a Malware-Signing Cybercrime Service Exploiting Its Own Platform
- Chaos Cubes Unleashed: Fortnite Chapter 7 Season 2's New XP Goldmine and Lore Key