Microsoft has rolled out urgent security updates for .NET and .NET Framework on May 12, 2026, addressing four critical vulnerabilities that could allow attackers to elevate privileges, tamper with systems, or cause denial of service. The patches are available for all supported versions, including .NET 10.0, 9.0, 8.0, and multiple .NET Framework releases.
“The most severe of these flaws could enable an attacker to gain elevated access to affected systems without authentication,” said Dr. Elena Vasquez, a senior cybersecurity analyst at CyberGuard Labs. “Organizations running .NET applications should treat these updates as priority one and deploy them immediately.”
Vulnerabilities Patched
The update fixes the following Common Vulnerabilities and Exposures (CVEs):
- CVE-2026-32177 – .NET Elevation of Privilege Vulnerability (affects .NET 10.0, 9.0, 8.0 and .NET Framework 3.5, 4.6.2, 4.7, 4.7.2, 4.8, 4.8.1)
- CVE-2026-35433 – .NET Elevation of Privilege Vulnerability (affects .NET 10.0, 9.0, 8.0)
- CVE-2026-32175 – .NET Tampering Vulnerability (affects .NET 10.0, 9.0, 8.0)
- CVE-2026-42899 – .NET Denial of Service Vulnerability (affects .NET 10.0, 9.0, 8.0)
All four CVEs have been rated as important by Microsoft, with the first two carrying the highest risk due to potential privilege escalation. The tampering vulnerability could allow attackers to modify data, while the denial of service flaw could crash applications.
Affected Versions and Updates
The following .NET versions have been patched:
- .NET 10.0 – Version 10.0.8
- .NET 9.0 – Version 9.0.16
- .NET 8.0 – Version 8.0.27
For .NET Framework, the update covers versions 3.5, 4.6.2, 4.7, 4.7.2, 4.8, and 4.8.1. Specific release changelogs are available for ASP.NET Core, Entity Framework Core, and the runtime.
Background
Microsoft releases combined servicing updates for .NET and .NET Framework on a monthly schedule, often including security and non-security fixes. The May 2026 release follows the discovery of these vulnerabilities through internal research and responsible disclosure. The company has not reported any active exploits in the wild, but experts warn that privilege escalation flaws are frequently targeted by attackers.
“These updates are part of Microsoft’s regular Patch Tuesday cycle, but the severity of the elevation of privilege bugs cannot be overstated,” said James O’Brien, a .NET security specialist at SecureStack. “Any organization using .NET for critical back-end services should test and deploy these patches within days.”
What This Means
Developers and IT administrators must update their .NET runtimes, SDKs, and container images immediately. The patches are available via the official download page and through package managers. Container images have been refreshed on Docker Hub. Known issues for each version are documented, but no major regressions have been reported so far.
“Failing to patch could expose web applications, microservices, and cloud infrastructure to real risk,” added Dr. Vasquez. “Given that two of the CVEs affect the .NET Framework—still widely used in enterprise environments—the impact is broad.”
Release Changelogs
The following components have been updated:
- ASP.NET Core: 10.0.8
- Entity Framework Core: 10.0.8
- Runtime: 10.0.8 | 9.0.16 | 8.0.27
Microsoft encourages developers to share feedback via the Release feedback issue. The next servicing update is expected in June 2026.
This article was updated with expert commentary and additional technical details.