10 Critical Updates in the May 2026 .NET and .NET Framework Servicing Release

Welcome to our deep dive into the May 2026 servicing updates for .NET and .NET Framework. This month’s release packs several security patches, new version numbers, and essential fixes that every developer should be aware of. Whether you're running .NET 10.0, 9.0, 8.0, or a .NET Framework version, this listicle breaks down the ten most important things you need to know. Let’s jump in.

1. Four Critical CVEs Addressed This Month

May 2026 brings fixes for four distinct Common Vulnerabilities and Exposures (CVEs) that affect various versions of .NET and .NET Framework. These range from elevation of privilege to tampering and denial of service. The affected products include .NET 10.0, 9.0, 8.0, and multiple .NET Framework versions (3.5, 4.6.2, 4.7, 4.7.2, 4.8, 4.8.1). None of these vulnerabilities were publicly disclosed prior to this release, so updating promptly is highly recommended. You can review the full list of CVEs in item 2.

2. CVE-2026-32177 – Elevation of Privilege Vulnerability

The first CVE, CVE-2026-32177, is an elevation of privilege vulnerability that affects all supported .NET and .NET Framework versions. This means an attacker could potentially gain higher-level access to system resources. The fix is included in the May 12, 2026 update. If you're running .NET 10.0, 9.0, 8.0, or any .NET Framework version from 3.5 onward, your application needs this patch. For more details on which version you should upgrade to, skip to item 6.

3. CVE-2026-35433 – Another Elevation of Privilege Issue

The second CVE, CVE-2026-35433, also targets elevation of privilege but only applies to .NET 10.0, 9.0, and 8.0. It does not affect .NET Framework. This vulnerability could allow an authenticated attacker to escalate their privileges within your application. The update eliminates the exploit vector. As always, we recommend updating all affected runtimes and SDKs. Check the release notes in item 9 for the exact version numbers.

4. CVE-2026-32175 – Tampering Vulnerability

CVE-2026-32175 is a tampering vulnerability that affects .NET 10.0, 9.0, and 8.0 only. This means an attacker could modify the behavior of your application by tampering with internal data. The fix prevents such manipulation. Although .NET Framework is not impacted, all modern .NET users should prioritize this update. Make sure to also review the known issues before deploying in production.

5. CVE-2026-42899 – Denial of Service Vulnerability

Rounding out the security fixes is CVE-2026-42899, a denial of service (DoS) vulnerability that affects .NET 10.0, 9.0, and 8.0. An unauthenticated attacker could send specially crafted input to crash your service. Installing the May 2026 update mitigates this risk. DoS attacks can be particularly damaging for web-facing applications, so this patch should be applied as soon as possible.

6. New Version Numbers for .NET 10.0, 9.0, and 8.0

The updated versions are:

• .NET 10.0 → 10.0.8
• .NET 9.0 → 9.0.16
• .NET 8.0 → 8.0.27

Each includes the four security fixes and additional non-security improvements. You can download the installers and binaries directly from the official .NET website. For containerized environments, see item 7 for image details.

7. Installers, Binaries, and Container Images Available

Alongside the updated runtimes, Microsoft has released new installers and binaries for all three versions. For container deployments, updated Docker images are now available on Microsoft Artifact Registry. Linux packages are also refreshed for each supported distribution. If you’re using package managers like apt or yum, point to the May 2026 feeds. Detailed links can be found on the .NET release notes page.

8. Known Issues for Each Version

Every major release includes a list of known issues. For this servicing update, the known issues documents for .NET 10.0, 9.0, and 8.0 have been updated. Some issues may affect specific scenarios like Azure Functions or Entity Framework. We strongly recommend reviewing these before upgrading production systems. The known issues pages are linked from the release notes (item 9).

9. Release Changelogs and Links

The full changelogs for this month are:

• ASP.NET Core: 10.0.8
• Entity Framework Core: 10.0.8
• Runtime: 10.0.8 | 9.0.16 | 8.0.27

You can browse the .NET Framework release notes separately. All details are available on the .NET Blog. Feel free to share feedback in the Release feedback issue.

10. .NET Framework May 2026 Updates

This month also brings new security and non-security updates for .NET Framework (3.5, 4.6.2, 4.7, 4.7.2, 4.8, 4.8.1). While many CVEs overlap with .NET, .NET Framework has its own patch set. Be sure to visit the .NET Framework release notes for detailed information. Updating both .NET and .NET Framework ensures comprehensive protection across your entire stack.

Final thoughts: The May 2026 servicing releases are crucial for maintaining a secure and stable .NET environment. Make updating your priority today. Happy coding!