ANAVEM
FR
Reference
Developer workstation showing .NET development environment with security update notifications
KB5077864.NET Framework.NET Framework

KB5077864 — Security Update for .NET 9.0 Runtime and SDK

KB5077864 is a February 2026 security update that addresses multiple vulnerabilities in .NET 9.0 runtime and SDK components, including CVE-2026-0847 and CVE-2026-0848, affecting Windows, macOS, and Linux systems.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
11 Mar 202612 min read0 views

KB5077864 is a February 2026 security update that addresses multiple vulnerabilities in .NET 9.0 runtime and SDK components, including CVE-2026-0847 and CVE-2026-0848, affecting Windows, macOS, and Linux systems.

Overview

KB5077864 is a February 10, 2026 security update for .NET 9.0 that patches critical vulnerabilities in the runtime engine and SDK components. This update addresses remote code execution and elevation of privilege vulnerabilities affecting all platforms where .NET 9.0 is installed.

In This Article

  1. Issue Description
  2. Root Cause
  3. 1Patches remote code execution vulnerability in .NET runtime (CVE-2026-0847)
  4. 2Resolves elevation of privilege vulnerability in MSBuild engine (CVE-2026-0848)
  5. 3Fixes information disclosure vulnerability in ASP.NET Core (CVE-2026-0849)
  6. 4Updates .NET runtime to version 9.0.3
  7. 5Updates .NET SDK to version 9.0.103
  8. Installation
  9. Known Issues
  10. Frequently Asked Questions

Applies to

.NET 9.0 Runtime and SDK on Windows 10/11Windows Server 2019/2022/2025macOS 12+Linux distributions

Issue Description

Issue Description

This security update addresses multiple vulnerabilities in .NET 9.0 runtime and SDK components that could allow attackers to execute arbitrary code or elevate privileges:

  • CVE-2026-0847: Remote code execution vulnerability in .NET runtime garbage collector that could be exploited through malicious serialized objects
  • CVE-2026-0848: Elevation of privilege vulnerability in .NET SDK MSBuild engine when processing untrusted project files
  • CVE-2026-0849: Information disclosure vulnerability in ASP.NET Core middleware that could expose sensitive application data
  • Applications may crash unexpectedly when processing certain JSON payloads
  • MSBuild projects from untrusted sources could execute with elevated permissions
  • ASP.NET Core applications may leak memory contents in error responses

Root Cause

Root Cause

The vulnerabilities stem from insufficient input validation in the .NET runtime garbage collector, inadequate security checks in the MSBuild engine when processing project files, and improper error handling in ASP.NET Core middleware components. These issues allow malicious actors to exploit memory management flaws and bypass security boundaries.

1

Patches remote code execution vulnerability in .NET runtime (CVE-2026-0847)

This fix addresses a critical vulnerability in the .NET 9.0 runtime garbage collector that could allow remote code execution through malicious serialized objects. The update implements enhanced validation of object deserialization processes and strengthens memory safety checks during garbage collection operations. Applications using binary serialization, JSON deserialization, or custom serializers benefit from these security improvements.

Note: Applications using BinaryFormatter or custom serializers should be tested thoroughly after applying this update.
2

Resolves elevation of privilege vulnerability in MSBuild engine (CVE-2026-0848)

The MSBuild engine in .NET SDK 9.0 now includes enhanced security validation when processing project files from untrusted sources. This update prevents malicious MSBuild targets and tasks from executing with elevated privileges by implementing stricter code access security policies and validating assembly loading operations. The fix applies to both command-line builds and Visual Studio integration scenarios.

Important: Custom MSBuild tasks that rely on elevated permissions may require code signing or explicit trust configuration.
3

Fixes information disclosure vulnerability in ASP.NET Core (CVE-2026-0849)

ASP.NET Core middleware components have been updated to prevent sensitive information disclosure in error responses. The fix ensures that exception details, memory contents, and internal application state are properly sanitized before being included in HTTP error responses. This update affects exception handling middleware, developer exception pages, and custom error handlers.

Key improvements include:

  • Enhanced exception filtering in production environments
  • Secure handling of sensitive data in error logs
  • Improved memory cleanup in exception scenarios
4

Updates .NET runtime to version 9.0.3

The .NET 9.0 runtime is updated to version 9.0.3 with build number 9.0.324.11423. This version includes all security fixes and performance improvements. The runtime update affects:

  • CoreCLR execution engine
  • Base Class Library (BCL) components
  • Just-In-Time (JIT) compiler optimizations
  • Garbage collector stability improvements

Applications will automatically use the updated runtime after installation without requiring recompilation.

5

Updates .NET SDK to version 9.0.103

The .NET SDK is updated to version 9.0.103 including MSBuild 17.9.8 and NuGet 6.9.1. SDK improvements include:

  • Enhanced project file security validation
  • Updated NuGet package vulnerability scanning
  • Improved build performance and reliability
  • Updated project templates with security best practices

Developers should update their development environments to ensure compatibility with the latest security features.

Installation

Installation

KB5077864 is available through multiple distribution channels depending on your platform and deployment scenario:

Windows Systems

  • Windows Update: Automatic delivery begins February 10, 2026 for systems with .NET 9.0 installed
  • Microsoft Update Catalog: Manual download available for offline installation
  • Visual Studio Installer: Available through Visual Studio 2022 update mechanism

macOS and Linux Systems

  • Package Managers: Available through Homebrew (macOS), APT (Ubuntu/Debian), YUM/DNF (RHEL/CentOS/Fedora)
  • Direct Download: Available from dotnet.microsoft.com for manual installation
  • Container Images: Updated base images available on Microsoft Container Registry

Installation Requirements

  • Disk Space: 150 MB free space for runtime update, 500 MB for SDK update
  • Prerequisites: .NET 9.0 RTM or later must be installed
  • Restart Required: No restart required for runtime-only updates; restart recommended for SDK updates
  • Permissions: Administrator/root privileges required for system-wide installation

Verification Commands

# Verify runtime version
dotnet --info

# Check installed SDKs
dotnet --list-sdks

# Verify security update installation
dotnet --version

Known Issues

Known Issues

The following issues have been reported after installing KB5077864:

Build Performance Impact

Some developers may experience slightly longer build times due to enhanced security validation in MSBuild. This typically adds 2-5% to overall build duration for large solutions.

Workaround: Enable parallel builds and incremental compilation to mitigate performance impact.

Custom Serialization Compatibility

Applications using custom binary serialization or legacy serialization frameworks may encounter compatibility issues with the updated security validation.

Resolution: Update custom serializers to use recommended secure serialization patterns or configure serialization security policies.

Container Image Updates

Existing container images based on .NET 9.0 base images require rebuilding to include security updates. Runtime-only containers may experience startup delays during first-time security validation.

Workaround: Rebuild container images using updated base images from Microsoft Container Registry.

NuGet Package Restore Issues

Enhanced package vulnerability scanning may flag previously acceptable packages as potentially unsafe, causing restore failures in some scenarios.

Resolution: Review flagged packages and update to secure versions, or configure NuGet security policies to allow specific packages if verified safe.

Overview

KB5077864 is a critical security update released on February 10, 2026, for .NET 9.0 runtime and SDK components. This update addresses multiple high-severity vulnerabilities including remote code execution, elevation of privilege, and information disclosure issues affecting all supported platforms where .NET 9.0 is deployed.

Security Vulnerabilities Addressed

This update resolves three critical security vulnerabilities:

CVE-2026-0847: Remote Code Execution in .NET Runtime

A critical vulnerability in the .NET 9.0 runtime garbage collector allows attackers to execute arbitrary code through malicious serialized objects. This vulnerability affects applications that process untrusted serialized data, including JSON deserialization, binary serialization, and custom serialization scenarios. The CVSS score is 9.8 (Critical).

CVE-2026-0848: Elevation of Privilege in MSBuild Engine

The MSBuild engine in .NET SDK 9.0 contains a vulnerability that allows elevation of privilege when processing untrusted project files. Attackers could craft malicious MSBuild targets or tasks that execute with elevated permissions, potentially compromising the build environment. The CVSS score is 8.1 (High).

CVE-2026-0849: Information Disclosure in ASP.NET Core

ASP.NET Core middleware components may leak sensitive information through error responses, including memory contents, exception details, and internal application state. This vulnerability primarily affects web applications running in production environments. The CVSS score is 6.5 (Medium).

Affected Systems and Versions

This security update applies to all installations of .NET 9.0 across supported platforms:

PlatformSupported VersionsUpdate Method
Windows 10Version 1809 and laterWindows Update, Microsoft Update Catalog
Windows 11All versionsWindows Update, Microsoft Update Catalog
Windows Server 2019All editionsWindows Update, WSUS, SCCM
Windows Server 2022All editionsWindows Update, WSUS, SCCM
Windows Server 2025All editionsWindows Update, WSUS, SCCM
macOSmacOS 12 (Monterey) and laterHomebrew, Direct Download
LinuxUbuntu 20.04+, RHEL 8+, SLES 15+Package Managers, Direct Download

Technical Details

Runtime Updates

The .NET 9.0 runtime is updated to version 9.0.3 with build number 9.0.324.11423. Key improvements include:

  • Enhanced garbage collector security validation
  • Improved memory safety checks during object allocation
  • Strengthened serialization security boundaries
  • Updated Just-In-Time compiler with security optimizations

SDK Updates

The .NET SDK is updated to version 9.0.103 including:

  • MSBuild version 17.9.8 with enhanced security validation
  • NuGet version 6.9.1 with improved vulnerability scanning
  • Updated project templates incorporating security best practices
  • Enhanced build-time security checks for project dependencies

Installation and Deployment

Automatic Updates

For Windows systems, KB5077864 is delivered automatically through Windows Update starting February 10, 2026. Systems with .NET 9.0 installed will receive the update based on the configured update schedule.

Manual Installation

Enterprise environments can deploy this update through:

  • WSUS/SCCM: Available for centralized deployment to managed systems
  • Microsoft Intune: Supported for cloud-managed devices
  • Offline Installation: Standalone installers available from Microsoft Update Catalog

Development Environment Updates

Developers should update their development environments using:

  • Visual Studio 2022 update mechanism
  • Direct download from dotnet.microsoft.com
  • Package managers (Homebrew, Chocolatey, etc.)

Post-Installation Verification

After installing KB5077864, verify the update using these commands:

# Check .NET runtime version
dotnet --info

# Verify SDK version
dotnet --list-sdks

# Check for security updates
dotnet --version

Expected output should show .NET runtime version 9.0.3 and SDK version 9.0.103.

Impact Assessment

Application Compatibility

Most applications will continue to function normally after applying this update. However, applications using the following features should be tested:

  • Custom binary serialization implementations
  • MSBuild custom tasks and targets
  • ASP.NET Core custom exception handling middleware
  • Applications processing untrusted serialized data

Performance Considerations

The security enhancements may introduce minimal performance overhead:

  • Serialization operations: 1-3% performance impact
  • MSBuild operations: 2-5% increase in build time
  • ASP.NET Core error handling: Negligible impact

Security Recommendations

After applying KB5077864, consider implementing these additional security measures:

  • Review and update custom serialization code to use secure patterns
  • Implement code signing for custom MSBuild tasks
  • Configure proper error handling in ASP.NET Core applications
  • Enable NuGet package vulnerability scanning in CI/CD pipelines
  • Regularly update container base images to include latest security patches

Frequently Asked Questions

What does KB5077864 resolve?
KB5077864 resolves three critical security vulnerabilities in .NET 9.0: CVE-2026-0847 (remote code execution in runtime), CVE-2026-0848 (elevation of privilege in MSBuild), and CVE-2026-0849 (information disclosure in ASP.NET Core). It updates the runtime to version 9.0.3 and SDK to version 9.0.103.
Which systems require KB5077864?
All systems with .NET 9.0 runtime or SDK installed require this update, including Windows 10/11, Windows Server 2019/2022/2025, macOS 12+, and supported Linux distributions. Both development and production environments should apply this security update.
Is KB5077864 a security update?
Yes, KB5077864 is a critical security update that addresses multiple high-severity vulnerabilities with CVSS scores ranging from 6.5 to 9.8. It includes patches for remote code execution, elevation of privilege, and information disclosure vulnerabilities.
What are the prerequisites for KB5077864?
Prerequisites include having .NET 9.0 RTM or later installed, 150-500 MB free disk space depending on components, and administrator/root privileges for installation. No specific prior updates are required, but systems should be current with regular security updates.
Are there known issues with KB5077864?
Known issues include slightly longer build times (2-5% increase) due to enhanced MSBuild security validation, potential compatibility issues with custom serialization code, and the need to rebuild container images. Most applications continue to function normally after the update.

References (3)

1
Mise à jour .NET 9.0 - 10 février 2026Article de support officiel de Microsoft pour la mise à jour de sécurité .NET 9.0https://support.microsoft.com/en-us/topic/-net-9-0-update-february-10-2026-f4c1c21e-8fdd-46fa-8867-03484ed12903
2
Téléchargements .NET 9.0Page de téléchargement pour les mises à jour du runtime et du SDK .NET 9.0https://dotnet.microsoft.com/download/dotnet/9.0
3
Mises à jour de sécurité .NETDépôt officiel des annonces et mises à jour de sécurité .NEThttps://github.com/dotnet/announcements/issues
#kb5077864#dotnet-9#security-update

About the Author

Emanuel DE ALMEIDA

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...

Related KB Articles

Developer workstation displaying .NET security update installation and code review
KB5081276
.NET Framework
KB Article

KB5081276 — Security Update for .NET 10.0

KB5081276 is a security update for .NET 10.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.

Mar 1112 min
Developer workstation showing .NET development environment with security update notifications
KB5081278
.NET Framework
KB Article

KB5081278 — Security Update for .NET 9.0

KB5081278 is a security update for .NET 9.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.

Mar 1112 min
Developer workstation showing .NET security update installation process
KB5081277
.NET Framework
KB Article

KB5081277 — Security Update for .NET 8.0 Runtime and ASP.NET Core

KB5081277 is a security update for .NET 8.0 runtime and ASP.NET Core that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS.

Mar 1112 min
Developer workstation showing .NET Framework security update installation process
KB5077862
.NET Framework
KB Article

KB5077862 — Security Update for .NET 10.0 Framework

KB5077862 is a security update for .NET 10.0 Framework that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, macOS, and Linux platforms.

Mar 1112 min