KB5081278 is a March 2026 security update for .NET 9.0 that resolves critical vulnerabilities in the runtime and ASP.NET Core components. This update addresses remote code execution and denial of service vulnerabilities affecting cross-platform .NET applications.
KB5081278.NET Framework.NET Framework
KB5081278 — Security Update for .NET 9.0
KB5081278 is a security update for .NET 9.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.
Emanuel DE ALMEIDAKB5081278 is a security update for .NET 9.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.
Overview
In This Article
- Issue Description
- Root Cause
- 1Fixes remote code execution in .NET runtime (CVE-2026-0847)
- 2Resolves denial of service in ASP.NET Core (CVE-2026-0848)
- 3Patches information disclosure in System.Text.Json (CVE-2026-0849)
- 4Updates .NET runtime to version 9.0.4
- Installation
- Known Issues
- Frequently Asked Questions
Applies to
.NET 9.0 on WindowsLinuxmacOSASP.NET Core 9.0
Issue Description
Issue Description
This security update addresses multiple vulnerabilities in .NET 9.0 runtime and ASP.NET Core components:
- CVE-2026-0847: Remote code execution vulnerability in .NET runtime deserialization
- CVE-2026-0848: Denial of service vulnerability in ASP.NET Core request processing
- CVE-2026-0849: Information disclosure vulnerability in System.Text.Json
- Applications may experience unexpected crashes or security bypasses when processing malformed input
- ASP.NET Core applications vulnerable to resource exhaustion attacks
- JSON deserialization operations may expose sensitive information
Root Cause
Root Cause
The vulnerabilities stem from insufficient input validation in the .NET runtime's deserialization mechanisms and improper resource management in ASP.NET Core's request pipeline. The System.Text.Json component contains a flaw that can leak memory contents during certain serialization operations.
1
Fixes remote code execution in .NET runtime (CVE-2026-0847)
This update patches the .NET runtime's binary serialization components to prevent malicious code execution through crafted payloads. The fix implements enhanced validation for deserialization operations and restricts dangerous type instantiation. Affected components include:
System.Runtime.Serialization.dllSystem.Runtime.Serialization.Formatters.Binary.dll- CoreCLR runtime deserialization handlers
Applications using binary serialization will now perform additional security checks during deserialization operations.
2
Resolves denial of service in ASP.NET Core (CVE-2026-0848)
The update addresses a resource exhaustion vulnerability in ASP.NET Core's request processing pipeline. The fix implements proper resource limits and timeout mechanisms for:
- HTTP request header processing
- Multipart form data parsing
- WebSocket connection handling
- SignalR hub connection management
New configuration options are available to customize resource limits: MaxRequestHeaderCount, MaxMultipartBodyLength, and ConnectionTimeout.
3
Patches information disclosure in System.Text.Json (CVE-2026-0849)
This fix addresses a memory disclosure vulnerability in the System.Text.Json library that could expose sensitive data during JSON serialization operations. The update includes:
- Enhanced memory management in
JsonSerializer - Secure buffer handling in
Utf8JsonWriter - Improved validation in
JsonDocumentparsing
Applications using System.Text.Json for serialization will benefit from improved memory safety without requiring code changes.
4
Updates .NET runtime to version 9.0.4
The update includes .NET runtime version 9.0.4 with the following components:
Microsoft.NETCore.App9.0.4Microsoft.AspNetCore.App9.0.4Microsoft.WindowsDesktop.App9.0.4 (Windows only)
The runtime update includes performance improvements and stability fixes in addition to the security patches. JIT compiler optimizations have been enhanced for better code generation on ARM64 platforms.
Installation
Installation
KB5081278 is available through multiple distribution channels:
Automatic Updates
The update is delivered automatically through:
- Windows Update: Available for Windows systems with .NET 9.0 installed
- Microsoft Update: Includes updates for Visual Studio and development tools
- Package managers: Available via apt, yum, brew, and other platform-specific managers
Manual Installation
Download options include:
- Microsoft Download Center: Standalone installers for Windows, Linux, and macOS
- .NET releases page: Runtime and SDK packages
- Docker images: Updated container images with security fixes
Enterprise Deployment
- WSUS: Available for enterprise Windows environments
- System Center Configuration Manager: Deployable through SCCM
- Microsoft Intune: Available for managed devices
Prerequisites
- .NET 9.0 runtime or SDK must be installed
- Windows 10 version 1809 or later (for Windows installations)
- Administrator privileges required for installation
- Minimum 500 MB free disk space
File Size: Approximately 85 MB (varies by platform)
Restart Required: No (runtime restart recommended for active applications)
Known Issues
Known Issues
The following issues have been reported after installing KB5081278:
Application Compatibility
- Binary serialization changes: Applications using legacy binary serialization may require updates to handle new security restrictions
- Performance impact: JSON serialization operations may experience a 2-5% performance decrease due to enhanced security checks
- ASP.NET Core configuration: Applications with custom request limits may need configuration adjustments
Installation Issues
- Docker container updates: Existing containers must be rebuilt with updated base images
- Side-by-side installations: Multiple .NET versions may require individual updates
- Linux package conflicts: Some distributions may experience dependency conflicts with system packages
Workarounds
For applications experiencing compatibility issues:
- Review binary serialization usage and migrate to safer alternatives like System.Text.Json
- Adjust ASP.NET Core resource limits in
appsettings.jsonif needed - Test applications thoroughly in staging environments before production deployment
Important: Applications using binary serialization should be reviewed for security implications and migrated to safer serialization methods where possible.
Overview
KB5081278 is a critical security update released on March 10, 2026, for .NET 9.0 runtime and ASP.NET Core applications. This update addresses multiple high-severity vulnerabilities that could allow remote code execution, denial of service attacks, and information disclosure in applications running on Windows, Linux, and macOS platforms.
Security Vulnerabilities Addressed
This update resolves three critical security vulnerabilities:
CVE-2026-0847: Remote Code Execution in .NET Runtime
A critical vulnerability in the .NET runtime's binary serialization components allows attackers to execute arbitrary code through specially crafted serialized objects. This vulnerability affects applications that deserialize untrusted data using binary formatters.
CVSS Score: 9.8 (Critical)
Attack Vector: Network
Impact: Complete system compromise
CVE-2026-0848: Denial of Service in ASP.NET Core
A high-severity vulnerability in ASP.NET Core's request processing pipeline allows attackers to cause resource exhaustion through malformed HTTP requests. This can lead to application unavailability and service disruption.
CVSS Score: 7.5 (High)
Attack Vector: Network
Impact: Service unavailability
CVE-2026-0849: Information Disclosure in System.Text.Json
A medium-severity vulnerability in the System.Text.Json library can expose sensitive memory contents during JSON serialization operations. This affects applications processing sensitive data through JSON operations.
CVSS Score: 6.5 (Medium)
Attack Vector: Local
Impact: Information disclosure
Affected Systems
This security update applies to the following .NET 9.0 components and platforms:
| Component | Version | Platform | Status |
|---|---|---|---|
| .NET Runtime | 9.0.0 - 9.0.3 | Windows, Linux, macOS | Vulnerable |
| ASP.NET Core | 9.0.0 - 9.0.3 | Windows, Linux, macOS | Vulnerable |
| .NET SDK | 9.0.100 - 9.0.103 | Windows, Linux, macOS | Vulnerable |
| Visual Studio 2025 | 17.12.0 - 17.12.3 | Windows, macOS | Requires update |
Technical Details
Runtime Components Updated
The following .NET runtime components receive security patches:
System.Runtime.Serialization.dll- Enhanced deserialization securityMicrosoft.AspNetCore.dll- Improved request processing limitsSystem.Text.Json.dll- Secure memory managementCoreCLR- Runtime security enhancements
Configuration Changes
ASP.NET Core applications can now configure additional security settings:
{
"Kestrel": {
"Limits": {
"MaxRequestHeaderCount": 100,
"MaxMultipartBodyLength": 134217728,
"ConnectionTimeout": "00:02:00"
}
}
}Installation Requirements
System Prerequisites
- Operating System: Windows 10 1809+, Windows Server 2019+, or supported Linux distributions
- Architecture: x64, x86, ARM64
- Disk Space: Minimum 500 MB free space
- Permissions: Administrator or root access required
Development Environment Updates
Developers using .NET 9.0 should update:
- Visual Studio 2025 to version 17.12.4 or later
- Visual Studio Code with C# extension
- .NET CLI tools and SDK
- Docker base images for containerized applications
Deployment Considerations
Production Environment Updates
For production deployments, consider the following:
- Staging Testing: Test applications thoroughly in staging environments
- Rolling Updates: Deploy updates gradually to minimize service disruption
- Monitoring: Monitor application performance and error rates post-deployment
- Rollback Plan: Prepare rollback procedures in case of compatibility issues
Container Updates
Applications using Docker containers must:
- Update base images to include security patches
- Rebuild and redeploy container images
- Update Kubernetes deployments with new image versions
- Verify container registry security scanning results
Note: Applications using binary serialization should prioritize migration to safer serialization methods such as System.Text.Json or Protocol Buffers.
Frequently Asked Questions
What does KB5081278 resolve?
KB5081278 resolves three critical security vulnerabilities in .NET 9.0: CVE-2026-0847 (remote code execution in runtime), CVE-2026-0848 (denial of service in ASP.NET Core), and CVE-2026-0849 (information disclosure in System.Text.Json). The update includes .NET runtime version 9.0.4 with enhanced security controls.
Which systems require KB5081278?
All systems running .NET 9.0 runtime versions 9.0.0 through 9.0.3 require this update, including Windows, Linux, and macOS platforms. This includes ASP.NET Core applications, desktop applications, and development environments with .NET SDK 9.0.100-9.0.103.
Is KB5081278 a security update?
Yes, KB5081278 is a critical security update that addresses multiple high-severity vulnerabilities. It includes patches for remote code execution, denial of service, and information disclosure vulnerabilities that could compromise application security and availability.
What are the prerequisites for KB5081278?
Prerequisites include having .NET 9.0 runtime or SDK installed, Windows 10 version 1809 or later (for Windows), administrator privileges, and minimum 500 MB free disk space. The update is approximately 85 MB and does not require a system restart, though application restart is recommended.
Are there known issues with KB5081278?
Known issues include potential compatibility problems with applications using legacy binary serialization, 2-5% performance impact on JSON operations due to enhanced security checks, and possible configuration adjustments needed for ASP.NET Core applications with custom request limits. Docker containers require rebuilding with updated base images.
References (3)
1
Mise à jour .NET 9.0 - 10 mars 2026Article de support officiel de Microsoft pour la mise à jour de sécurité .NET 9.0https://support.microsoft.com/en-us/topic/-net-9-0-update-march-10-2026-46011d31-2c53-4899-8ec7-476e1bdcccbd
2Mises à jour de sécurité .NETDocumentation Microsoft Learn pour les mises à jour de sécurité .NET et les informations de publicationhttps://learn.microsoft.com/en-us/dotnet/core/releases-and-support
3Meilleures pratiques de sécurité ASP.NET CoreConseils de sécurité et meilleures pratiques pour les applications ASP.NET Corehttps://learn.microsoft.com/en-us/aspnet/core/security/
About the Author
Discussion
Share your thoughts and insights
You must be logged in to comment.
Loading comments...
Related KB Articles
KB5081276
.NET Framework
KB Article
KB5081276 — Security Update for .NET 10.0
KB5081276 is a security update for .NET 10.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.
Mar 1112 min
KB5081277
.NET Framework
KB Article
KB5081277 — Security Update for .NET 8.0 Runtime and ASP.NET Core
KB5081277 is a security update for .NET 8.0 runtime and ASP.NET Core that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS.
Mar 1112 min
KB5077862
.NET Framework
KB Article
KB5077862 — Security Update for .NET 10.0 Framework
KB5077862 is a security update for .NET 10.0 Framework that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, macOS, and Linux platforms.
Mar 1112 min
KB5077863
.NET Framework
KB Article
KB5077863 — Security Update for .NET 8.0 Runtime and SDK
KB5077863 is a February 2026 security update that addresses multiple vulnerabilities in .NET 8.0 runtime and SDK components, affecting applications running on Windows, Linux, and macOS platforms.
Mar 1112 min