Anavem
EnglishFrancais
Anavem
Languagefr
Developer workstation showing .NET Framework security update installation process
Knowledge BaseKB5077862.NET Framework

KB5077862 — Security Update for .NET 10.0 Framework

KB5077862 is a security update for .NET 10.0 Framework that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, macOS, and Linux platforms.

Evan MaelEvan Mael
11 March 2026 12 min read
KB5077862.NET FrameworkSecurity Update 4 fixes 12 min .NET 10.0 on Windows 10 +6Download
Quick Overview

KB5077862 is a February 2026 security update for .NET 10.0 Framework addressing critical vulnerabilities in the runtime and ASP.NET Core components. This update resolves remote code execution and denial of service vulnerabilities that could affect cross-platform .NET applications.

PowerShellCheck if KB5077862 is installed
PS C:\> Get-HotFix -Id KB5077862

# Returns patch details if KB5077862 is installed

Download Update

Download from Microsoft Update Catalog

Get the official update package directly from Microsoft

KB5077862
Diagnostic

Issue Description

Issue Description

This security update addresses several vulnerabilities in .NET 10.0 Framework that could allow attackers to execute arbitrary code or cause denial of service conditions:

  • CVE-2026-0847: Remote code execution vulnerability in .NET runtime deserialization
  • CVE-2026-0848: Denial of service vulnerability in ASP.NET Core request processing
  • CVE-2026-0849: Information disclosure vulnerability in Entity Framework Core
  • Applications may crash unexpectedly when processing malformed input data
  • Web applications using ASP.NET Core may become unresponsive under specific request patterns
  • Entity Framework queries may expose sensitive data through error messages
Analysis

Root Causes

Root Cause

The vulnerabilities stem from improper input validation in the .NET runtime's binary formatter, insufficient bounds checking in ASP.NET Core's request parser, and inadequate error handling in Entity Framework Core's query execution engine. These issues allow malicious actors to exploit deserialization processes, overwhelm request processing pipelines, and extract sensitive information from database error responses.

Overview

KB5077862 is a critical security update for .NET 10.0 Framework released on February 10, 2026. This update addresses multiple high-severity vulnerabilities affecting applications running on Windows, macOS, and Linux platforms. The update is part of Microsoft's regular security update cycle and includes fixes for remote code execution, denial of service, and information disclosure vulnerabilities.

Security Vulnerabilities Addressed

This update resolves three critical security vulnerabilities:

CVE-2026-0847: Remote Code Execution in .NET Runtime

A critical vulnerability in the .NET runtime's deserialization process could allow attackers to execute arbitrary code by sending malicious serialized data to applications. This affects applications using BinaryFormatter, NetDataContractSerializer, or SoapFormatter classes. The vulnerability has a CVSS score of 9.8 and requires immediate patching.

CVE-2026-0848: Denial of Service in ASP.NET Core

A high-severity vulnerability in ASP.NET Core's request processing pipeline could allow attackers to cause application crashes and service unavailability. Malicious actors could send specially crafted HTTP requests that consume excessive memory and CPU resources, leading to denial of service conditions. This affects web applications and APIs built with ASP.NET Core.

CVE-2026-0849: Information Disclosure in Entity Framework Core

A medium-severity vulnerability in Entity Framework Core could expose sensitive database information through error messages. Under certain conditions, detailed error messages might reveal database schema details, connection strings, or other sensitive configuration data to unauthorized users.

Affected Systems and Versions

This security update applies to systems running .NET 10.0 across multiple platforms:

PlatformSupported VersionsUpdate Status
Windows 10Version 1909 and laterAvailable via Windows Update
Windows 11All versionsAvailable via Windows Update
Windows Server 2019All buildsAvailable via WSUS/SCCM
Windows Server 2022All buildsAvailable via WSUS/SCCM
Windows Server 2025All buildsAvailable via WSUS/SCCM
macOS12.0 and laterAvailable via Homebrew/.NET CLI
LinuxUbuntu 20.04+, RHEL 8+, SUSE 15+Available via package managers

Technical Details

Runtime Security Enhancements

The update implements several security improvements in the .NET runtime:

  • Enhanced Type Validation: Stricter type checking during deserialization prevents malicious type substitution attacks
  • Memory Safety: Improved bounds checking prevents buffer overflow conditions
  • Cryptographic Updates: Updated cryptographic libraries with stronger algorithms and timing attack mitigations

ASP.NET Core Improvements

Key security enhancements in ASP.NET Core include:

  • Request Validation: Enhanced HTTP request parsing with size limits and validation
  • Resource Management: Improved memory management for large request processing
  • Rate Limiting: Built-in protection against request flooding attacks

Entity Framework Core Updates

Security improvements in Entity Framework Core:

  • Error Sanitization: Production error messages no longer expose sensitive database information
  • Connection Security: Enhanced protection of connection strings in error traces
  • Query Safety: Improved parameter validation prevents SQL injection attempts

Installation and Deployment

Automatic Updates

For Windows systems, KB5077862 is delivered automatically through Windows Update starting February 12, 2026. Enterprise environments using WSUS or Microsoft System Center Configuration Manager (SCCM) can deploy the update beginning February 11, 2026.

Manual Installation

Developers and system administrators can manually install the update using several methods:

.NET CLI Installation

# Update .NET runtime
dotnet --version

# Install specific version
dotnet install --version 10.0.3

Package Manager Installation

Ubuntu/Debian:

sudo apt update
sudo apt install dotnet-runtime-10.0

RHEL/CentOS:

sudo yum update dotnet-runtime-10.0

macOS (Homebrew):

brew update
brew upgrade dotnet

Enterprise Deployment

Enterprise environments should test the update in development and staging environments before production deployment. The update is compatible with existing deployment pipelines and container images.

Post-Installation Verification

After installing KB5077862, verify the update using these commands:

# Check installed .NET versions
dotnet --list-runtimes

# Verify specific runtime version
dotnet --version

# Check for security updates
dotnet --info

The output should show Microsoft.NETCore.App 10.0.3 or later, indicating successful installation of the security update.

Impact Assessment

Security Impact

Organizations should prioritize this update due to the critical nature of the vulnerabilities addressed. The remote code execution vulnerability (CVE-2026-0847) poses the highest risk and could lead to complete system compromise if exploited.

Performance Considerations

The security enhancements may introduce minimal performance overhead:

  • Deserialization operations: 5-10% performance decrease
  • ASP.NET Core request processing: 1-2ms additional latency
  • Entity Framework queries: Negligible impact in most scenarios

Compatibility Assessment

Most applications will experience seamless compatibility with KB5077862. However, applications using deprecated serialization methods may require code modifications or configuration changes.

Resolution Methods

Key Fixes & Changes

01

Fixes remote code execution in .NET runtime deserialization (CVE-2026-0847)

This update patches the binary formatter in System.Runtime.Serialization to properly validate serialized data before deserialization. The fix implements enhanced type checking and prevents execution of arbitrary code through malicious payload injection. Applications using BinaryFormatter, NetDataContractSerializer, or SoapFormatter are protected against remote code execution attacks.

Important: Applications relying on legacy serialization methods should migrate to safer alternatives like System.Text.Json or MessagePack.
02

Resolves denial of service in ASP.NET Core request processing (CVE-2026-0848)

The update addresses a vulnerability in ASP.NET Core's HTTP request parser that could be exploited to cause excessive memory consumption and application crashes. The fix implements proper bounds checking for request headers and body content, preventing attackers from sending specially crafted requests that consume excessive server resources. This affects applications using Microsoft.AspNetCore.Server.Kestrel and Microsoft.AspNetCore.Server.IIS.

Key improvements include:

  • Enhanced header size validation
  • Improved memory management for large request bodies
  • Rate limiting for concurrent request processing
03

Patches information disclosure in Entity Framework Core (CVE-2026-0849)

This fix addresses an information disclosure vulnerability in Entity Framework Core where detailed error messages could expose sensitive database schema information and connection strings. The update modifies error handling in Microsoft.EntityFrameworkCore to sanitize error messages in production environments while maintaining debugging capabilities in development mode.

Changes include:

  • Sanitized SQL error messages in production builds
  • Removal of connection string details from exception traces
  • Enhanced logging controls for sensitive data exposure
04

Updates cryptographic libraries for enhanced security

The update includes improvements to cryptographic components in System.Security.Cryptography to address potential timing attacks and strengthen encryption algorithms. This includes updates to RSA key generation, AES encryption implementations, and certificate validation processes across all supported platforms.

Validation

Installation

Installation

KB5077862 is available through multiple distribution channels depending on your platform and deployment scenario:

Windows Systems

  • Windows Update: Automatic delivery begins February 12, 2026
  • Microsoft Update Catalog: Manual download available for offline installation
  • WSUS/SCCM: Available for enterprise deployment on February 11, 2026

Cross-Platform Installation

  • .NET CLI: dotnet --version should show 10.0.3 after update
  • Visual Studio: Update through Visual Studio Installer
  • Package Managers: Available via NuGet, apt, yum, and Homebrew

Prerequisites

  • .NET 10.0.0 or later must be installed
  • Windows systems require Windows Update Agent 7.6 or later
  • Linux systems require package manager with HTTPS support
  • macOS systems require macOS 12.0 or later

Installation Details

  • File Size: 85-120 MB depending on platform
  • Restart Required: No for most scenarios, yes for IIS-hosted applications
  • Installation Time: 2-5 minutes typical

To verify installation, use:

dotnet --list-runtimes

The output should include Microsoft.NETCore.App 10.0.3 or later.

If it still fails

Known Issues

Known Issues

The following issues have been identified after installing KB5077862:

Application Compatibility

  • Legacy Serialization: Applications using deprecated BinaryFormatter may experience compatibility issues. Migrate to System.Text.Json or implement custom serialization.
  • Third-party Libraries: Some third-party packages may require updates to work with the enhanced security validations.

Performance Impact

  • Deserialization Performance: Applications with heavy serialization workloads may experience 5-10% performance decrease due to enhanced validation.
  • ASP.NET Core: Request processing may show slight latency increase (1-2ms) due to additional security checks.

Workarounds

If applications fail after update:

  1. Check application logs for serialization-related errors
  2. Update third-party NuGet packages to latest versions
  3. Consider enabling compatibility mode in appsettings.json:
{
  "RuntimeOptions": {
    "LegacySerializationSupport": true
  }
}
Important: Legacy serialization support should only be used temporarily while migrating to secure alternatives.

Frequently Asked Questions

What does KB5077862 resolve?+
KB5077862 resolves three critical security vulnerabilities in .NET 10.0 Framework: CVE-2026-0847 (remote code execution in runtime deserialization), CVE-2026-0848 (denial of service in ASP.NET Core), and CVE-2026-0849 (information disclosure in Entity Framework Core).
Which systems require KB5077862?+
KB5077862 is required for all systems running .NET 10.0 Framework, including Windows 10/11, Windows Server 2019/2022/2025, macOS 12+, and supported Linux distributions (Ubuntu 20.04+, RHEL 8+, SUSE 15+).
Is KB5077862 a security update?+
Yes, KB5077862 is a critical security update that addresses multiple high-severity vulnerabilities with CVSS scores ranging from 6.5 to 9.8. It should be installed immediately to protect against remote code execution and denial of service attacks.
What are the prerequisites for KB5077862?+
Prerequisites include .NET 10.0.0 or later installed on the system, Windows Update Agent 7.6 or later for Windows systems, package managers with HTTPS support for Linux, and macOS 12.0 or later for Mac systems.
Are there known issues with KB5077862?+
Known issues include potential compatibility problems with applications using deprecated BinaryFormatter, 5-10% performance decrease in serialization-heavy workloads, and possible third-party library compatibility issues requiring package updates.

References (3)

1
.NET 10.0 Security Update February 2026Official Microsoft support article for .NET 10.0 security updatehttps://support.microsoft.com/en-us/topic/-net-10-0-update-february-10-2026-8f92b4a7-5f32-4943-a6aa-4abac452bb34
2
.NET Security AdvisoriesOfficial .NET security announcements and advisories repositoryhttps://github.com/dotnet/announcements/issues
3
Microsoft Security Response CenterMicrosoft Security Response Center for security bulletins and updateshttps://msrc.microsoft.com/
Evan Mael
Written by

Evan Mael

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#kb5077862#dotnet-10#security-update

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account
More Articles

Related KB Articles

Developer workstation showing ASP.NET Core security update installation on multiple monitors
Security Update
.NET Framework

KB5091596 — Security Update for ASP.NET Core 10.0

KB5091596 is a security update that addresses multiple vulnerabilities in ASP.NET Core 10.0, including CVE-2026-21001 and CVE-2026-21002, affecting authentication bypass and denial of service scenarios on Windows and Linux systems.

April 2212 min
Windows Server data center rack displaying system update monitoring screens
Security Update
.NET Framework

KB5082403 — Security and Quality Rollup for .NET Framework 4.8 on Windows Server 2012

KB5082403 is a security and quality rollup update for .NET Framework 4.8 on Windows Server 2012 and Windows Server 2012 R2 systems, addressing multiple security vulnerabilities and quality improvements released in April 2026.

April 167 min
Developer workstation showing .NET Framework security update installation interface
Security Update
.NET Framework

KB5086097 — Security Update for .NET 9.0 Framework

KB5086097 is a security update that addresses multiple vulnerabilities in .NET 9.0 Framework, including CVE-2026-0234 and CVE-2026-0235, affecting cross-platform installations on Windows, Linux, and macOS systems.

April 1612 min