May 2026 Servicing Releases: .NET and .NET Framework Security Updates

Overview of the May 2026 Servicing Releases

The combined servicing updates for .NET and .NET Framework for May 2026 have arrived, bringing critical security enhancements and reliability improvements. Released on May 12, 2026, these updates address multiple vulnerabilities across a broad range of product versions, from .NET 8.0 to .NET 10.0, as well as .NET Framework 3.5 through 4.8.1. This article provides a comprehensive look at the fixes, updated versions, and how to get the latest bits.

Security Improvements and Fixed Vulnerabilities

Four Common Vulnerabilities and Exposures (CVEs) have been resolved in this servicing wave. The fixes target elevation of privilege, tampering, and denial of service scenarios that could affect applications built on affected frameworks. Below is a detailed breakdown of each CVE and the impacted platforms.

CVE-2026-32177: .NET Elevation of Privilege Vulnerability

This vulnerability affects .NET 10.0, .NET 9.0, .NET 8.0, and multiple .NET Framework versions (3.5, 4.6.2, 4.7, 4.7.2, 4.8, 4.8.1). An attacker could potentially exploit this flaw to gain elevated privileges in a .NET environment. The update neutralizes the attack vector by hardening internal privilege checks.

CVE-2026-35433: .NET Elevation of Privilege Vulnerability

Similar in nature to CVE-2026-32177, this elevation of privilege issue is specific to .NET 10.0, 9.0, and 8.0. It does not impact .NET Framework. The fix ensures that untrusted code cannot leverage certain framework capabilities to escalate its access level.

CVE-2026-32175: .NET Tampering Vulnerability

A tampering vulnerability has been addressed in .NET 10.0, 9.0, and 8.0. This flaw could allow an adversary to modify input data or configuration in a way that alters the behavior of a .NET application. The servicing release tightens validation routines to prevent such tampering.

CVE-2026-42899: .NET Denial of Service Vulnerability

Affecting the same three .NET versions (10.0, 9.0, 8.0), this denial of service vulnerability could enable a remote attacker to crash a .NET application by sending specially crafted requests. The update introduces improved resource limits and request handling to mitigate the risk.

Updated Versions and Release Details

Each major .NET line has received a new patch version. The table below summarizes the release numbers, along with links to official download pages and container images.

• .NET 10.0 → version 10.0.8
• .NET 9.0 → version 9.0.16
• .NET 8.0 → version 8.0.27

For each of these releases, the following resources are available:

• Installers and binaries for .NET 10.0.8
• Installers and binaries for .NET 9.0.16
• Installers and binaries for .NET 8.0.27
• Container images are tagged with the respective versions on Microsoft Container Registry.
• Linux packages are published to package repositories (e.g., dotnet-sdk-10.0, dotnet-sdk-9.0, dotnet-sdk-8.0).

Known issues for each release are documented in the release notes:

• .NET 10.0 known issues
• .NET 9.0 known issues
• .NET 8.0 known issues

Release Changelogs

In addition to the CVEs, these updates include numerous non-security fixes. The key component changelogs are:

• ASP.NET Core 10.0.8
• Entity Framework Core 10.0.8
• .NET Runtime 10.0.8, 9.0.16, and 8.0.27

For a complete list of changes, refer to the official release notes for each version. Feedback on this release can be shared via the .NET core repository.

.NET Framework May 2026 Updates

Alongside the .NET Core updates, the .NET Framework also received servicing releases this month. Both security and non-security fixes are included for supported versions (3.5, 4.6.2, 4.7, 4.7.2, 4.8, and 4.8.1). The .NET Framework updates primarily address CVE-2026-32177, which affects all listed Framework versions. To see the full list of changes, browse the .NET Framework release notes.

Stay Up to Date

As with any servicing release, it is strongly recommended to apply these updates as soon as possible to protect your applications and infrastructure. The May 2026 servicing wave resolves multiple security weaknesses that could otherwise lead to privilege escalation, data tampering, or service disruption. Install the latest bits from the official download pages or update your container images using the new tags. We'll be back next month with another round of updates.