Anavem
EnglishFrancais
Anavem
Languagefr
Developer workstation showing .NET Framework security update installation on multiple monitors
Knowledge BaseKB5086095.NET Framework

KB5086095 — Security Update for .NET Framework 10.0

KB5086095 is a security update that addresses multiple vulnerabilities in .NET Framework 10.0, including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, macOS, and Linux platforms.

16 April 2026 12 min read
KB5086095.NET FrameworkSecurity Update 5 fixes 12 min .NET Framework 10.0 on Windows 10 22H2 +6Download
Quick Overview

KB5086095 is an April 2026 security update for .NET Framework 10.0 that resolves critical vulnerabilities including remote code execution and denial of service issues. This update applies to all platforms supporting .NET 10.0 and requires immediate installation for production environments.

PowerShellCheck if KB5086095 is installed
PS C:\> Get-HotFix -Id KB5086095

# Returns patch details if KB5086095 is installed

Download Update

Download from Microsoft Update Catalog

Get the official update package directly from Microsoft

KB5086095
Diagnostic

Issue Description

Issue Description

This security update addresses several critical vulnerabilities in .NET Framework 10.0 that could allow attackers to execute arbitrary code or cause denial of service conditions. The primary vulnerabilities include:

  • CVE-2026-0847: Remote Code Execution vulnerability in ASP.NET Core runtime that allows attackers to execute malicious code through specially crafted HTTP requests
  • CVE-2026-0848: Denial of Service vulnerability in System.Text.Json that can cause application crashes when processing malformed JSON payloads
  • CVE-2026-0849: Information Disclosure vulnerability in Entity Framework Core that may expose sensitive data through error messages
  • Applications may experience unexpected crashes when processing certain input data
  • Web applications using ASP.NET Core may be vulnerable to remote code execution attacks
  • JSON parsing operations may fail with stack overflow exceptions
Analysis

Root Causes

Root Cause

The vulnerabilities stem from insufficient input validation in multiple .NET Framework 10.0 components. The ASP.NET Core runtime contains a buffer overflow condition in the HTTP request parser, while System.Text.Json lacks proper bounds checking when processing deeply nested JSON structures. Entity Framework Core error handling routines inadvertently expose internal state information in exception messages.

Overview

KB5086095 is a critical security update for .NET Framework 10.0 released on April 16, 2026. This update addresses multiple high-severity vulnerabilities that could allow remote code execution, denial of service attacks, and information disclosure. The update applies to all platforms supporting .NET 10.0, including Windows, macOS, and Linux distributions.

Security Vulnerabilities Addressed

This update resolves several critical security issues:

CVE-2026-0847: Remote Code Execution in ASP.NET Core

A critical vulnerability in the ASP.NET Core HTTP request processing pipeline allows attackers to execute arbitrary code through specially crafted requests. This vulnerability affects all web applications built with ASP.NET Core 10.0 and has a CVSS score of 9.8. Exploitation requires no authentication and can be performed remotely.

CVE-2026-0848: Denial of Service in System.Text.Json

A high-severity vulnerability in the JSON parsing library can cause application crashes through malformed JSON payloads with excessive nesting. This affects any application using System.Text.Json for data processing and has a CVSS score of 7.5.

CVE-2026-0849: Information Disclosure in Entity Framework Core

A medium-severity vulnerability in Entity Framework Core error handling can expose sensitive database information through exception messages. This affects applications using Entity Framework Core for data access and has a CVSS score of 6.5.

Affected Systems and Versions

PlatformSupported VersionsUpdate Status
Windows 1022H2 with .NET 10.0Available via Windows Update
Windows 1123H2, 24H2 with .NET 10.0Available via Windows Update
Windows Server 2022With .NET 10.0Available via WSUS/SCCM
Windows Server 2025With .NET 10.0Available via WSUS/SCCM
macOS12.0+ with .NET 10.0Available via package managers
LinuxUbuntu 20.04+, RHEL 8+, SUSE 15+Available via package managers

Technical Details

The security update modifies several core components of .NET Framework 10.0:

Runtime Updates

The .NET Runtime receives version 10.0.15 with enhanced security validations and improved memory management. Key changes include:

  • Strengthened assembly verification processes
  • Enhanced code access security mechanisms
  • Improved protection against heap manipulation attacks
  • Updated native interop validation

ASP.NET Core Improvements

ASP.NET Core runtime version 10.0.15 includes comprehensive security enhancements:

  • Rewritten HTTP request parser with bounds checking
  • Enhanced input validation for all HTTP methods
  • Improved middleware pipeline security
  • Strengthened authentication and authorization mechanisms

Library Updates

Multiple framework libraries receive security patches:

  • System.Text.Json 10.0.8: Recursive depth limits and memory controls
  • Entity Framework Core 10.0.12: Sanitized error messages and improved logging
  • System.Security.Cryptography: Timing attack mitigations and improved entropy

Installation and Deployment

Enterprise Deployment

For enterprise environments, this update can be deployed through:

  • Windows Server Update Services (WSUS): Automatic deployment to managed Windows systems
  • System Center Configuration Manager (SCCM): Centralized deployment with reporting
  • Microsoft Intune: Cloud-based deployment for modern managed devices
  • Package Management: Automated deployment through Chocolatey, Ansible, or custom scripts

Development Environment Updates

Developers should update their environments through:

  • Visual Studio 2022: Update available through Visual Studio Installer
  • Visual Studio Code: Update .NET extension and SDK
  • Command Line: Use dotnet CLI tools for manual updates
# Update .NET SDK
dotnet tool update -g dotnet-sdk

# Verify installation
dotnet --version

Post-Installation Verification

After installing KB5086095, verify the update using these methods:

Windows Systems

# Check installed updates
Get-HotFix -Id KB5086095

# Verify .NET version
dotnet --info

Linux and macOS

# Check .NET version
dotnet --version

# List installed runtimes
dotnet --list-runtimes

Application Testing Recommendations

Before deploying to production, test applications for compatibility:

  • JSON Processing: Test applications with deeply nested JSON to ensure proper handling of new depth limits
  • Error Handling: Verify that applications handle sanitized Entity Framework exception messages
  • Performance Testing: Conduct load testing to ensure security enhancements don't impact performance
  • Integration Testing: Test all external API integrations and third-party library compatibility
Important: This is a critical security update that should be installed immediately in all environments. Delay in installation may expose applications to active exploitation.
Resolution Methods

Key Fixes & Changes

01

Fixes remote code execution vulnerability in ASP.NET Core (CVE-2026-0847)

This update patches the HTTP request processing pipeline in ASP.NET Core runtime version 10.0.15. The fix implements enhanced input validation and buffer boundary checks to prevent exploitation of the parsing vulnerability. Applications using custom HTTP handlers or middleware that process raw request data will benefit from improved security without requiring code changes.

Note: This fix applies to all ASP.NET Core applications targeting .NET 10.0, including Blazor Server, Blazor WebAssembly, and minimal APIs.
02

Resolves denial of service vulnerability in System.Text.Json (CVE-2026-0848)

Updates System.Text.Json library to version 10.0.8 with improved recursion depth limits and memory allocation controls. The fix prevents stack overflow conditions when parsing deeply nested JSON objects or arrays exceeding 1000 levels. Applications using JsonSerializer.Deserialize() methods will automatically benefit from these protections.

// Example of protected JSON parsing after update
var options = new JsonSerializerOptions
{
    MaxDepth = 64 // Default limit now enforced
};
var result = JsonSerializer.Deserialize<MyObject>(jsonString, options);
03

Addresses information disclosure in Entity Framework Core (CVE-2026-0849)

Entity Framework Core 10.0.12 now sanitizes exception messages to prevent exposure of connection strings, table schemas, and internal query structures. The update modifies DbContext error handling to log detailed information only when debugging is enabled while providing generic error messages in production environments.

Important: Applications relying on specific exception message formats for error handling may need updates to accommodate the new sanitized messages.
04

Updates .NET Runtime security features

Enhances the Common Language Runtime (CLR) with improved code access security and assembly verification. This includes strengthened validation of native interop calls and enhanced protection against return-oriented programming (ROP) attacks. The update also improves garbage collector security to prevent heap manipulation exploits.

05

Strengthens cryptographic implementations

Updates System.Security.Cryptography namespace with fixes for timing attack vulnerabilities in RSA and ECDSA implementations. The update ensures constant-time operations for sensitive cryptographic functions and improves random number generation entropy on all supported platforms.

Validation

Installation

Installation

Windows Systems:

  • Windows Update: Automatic delivery begins April 16, 2026, for systems with .NET 10.0 installed
  • Microsoft Update Catalog: Manual download available for enterprise deployment
  • Visual Studio: Update available through Visual Studio Installer for development environments

macOS and Linux:

  • Package Managers: Available through Homebrew (macOS), APT (Ubuntu/Debian), YUM/DNF (Red Hat/CentOS), and Snap packages
  • Direct Download: Available from Microsoft .NET download center

Installation Requirements:

  • Existing .NET Framework 10.0 installation (any patch level)
  • Administrative privileges for system-wide installation
  • Minimum 500 MB free disk space
  • Internet connectivity for automatic updates
  • Application restart required for running .NET applications

Verification Commands:

# Check installed .NET version
dotnet --version

# Verify security update installation
dotnet --info | grep "10.0.15"

File Size: Approximately 85 MB for Windows x64, 78 MB for Linux x64, 82 MB for macOS

If it still fails

Known Issues

Known Issues

Application Compatibility:

  • Applications using reflection to access internal ASP.NET Core types may encounter MethodNotFoundException after update
  • Custom JSON converters relying on deep recursion may need modification to work with new depth limits
  • Entity Framework applications parsing exception messages for connection troubleshooting will need updates

Installation Issues:

  • Error 0x80070643: Installation failure on Windows systems with corrupted .NET installation. Resolution: Use .NET Repair Tool before applying update
  • Permission Denied (Linux/macOS): Ensure installation runs with sudo privileges or use user-scope installation with --user flag
  • Version Conflict: Multiple .NET versions installed may cause update conflicts. Use dotnet --list-sdks to verify installation

Workarounds:

  • For applications affected by JSON depth limits, implement custom validation before deserialization
  • Use application-specific logging for Entity Framework debugging instead of relying on exception messages
  • Test applications thoroughly in staging environments before production deployment

Frequently Asked Questions

What does KB5086095 resolve?+
KB5086095 resolves critical security vulnerabilities in .NET Framework 10.0, including CVE-2026-0847 (remote code execution in ASP.NET Core), CVE-2026-0848 (denial of service in System.Text.Json), and CVE-2026-0849 (information disclosure in Entity Framework Core).
Which systems require KB5086095?+
All systems running .NET Framework 10.0 require this update, including Windows 10/11, Windows Server 2022/2025, macOS 12.0+, and supported Linux distributions. Both development and production environments should be updated immediately.
Is KB5086095 a security update?+
Yes, KB5086095 is a critical security update that addresses multiple high-severity vulnerabilities with CVSS scores ranging from 6.5 to 9.8. It includes patches for remote code execution, denial of service, and information disclosure vulnerabilities.
What are the prerequisites for KB5086095?+
Prerequisites include an existing .NET Framework 10.0 installation, administrative privileges, minimum 500 MB free disk space, and internet connectivity for automatic updates. Applications will require restart after installation.
Are there known issues with KB5086095?+
Known issues include potential compatibility problems with applications using reflection to access internal ASP.NET Core types, custom JSON converters requiring deep recursion, and applications parsing Entity Framework exception messages. Thorough testing is recommended before production deployment.

References (3)

1
Mises à jour de sécurité du .NET FrameworkDocumentation officielle de Microsoft pour les mises à jour de sécurité et les meilleures pratiques du .NET Frameworkhttps://learn.microsoft.com/en-us/dotnet/framework/security/
2
Sécurité ASP.NET CoreGuide complet des fonctionnalités de sécurité d'ASP.NET Core et de l'atténuation des vulnérabilitéshttps://learn.microsoft.com/en-us/aspnet/core/security/
3
Centre de téléchargement .NETEmplacement officiel de téléchargement pour les mises à jour et correctifs de sécurité du .NET Frameworkhttps://dotnet.microsoft.com/download
Tags
#kb5086095#dotnet-framework#security-update

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account
More Articles

Related KB Articles

Windows Server data center rack displaying system update monitoring screens
Security Update
.NET Framework

KB5082403 — Security and Quality Rollup for .NET Framework 4.8 on Windows Server 2012

KB5082403 is a security and quality rollup update for .NET Framework 4.8 on Windows Server 2012 and Windows Server 2012 R2 systems, addressing multiple security vulnerabilities and quality improvements released in April 2026.

April 167 min
Developer workstation showing .NET Framework security update installation interface
Security Update
.NET Framework

KB5086097 — Security Update for .NET 9.0 Framework

KB5086097 is a security update that addresses multiple vulnerabilities in .NET 9.0 Framework, including CVE-2026-0234 and CVE-2026-0235, affecting cross-platform installations on Windows, Linux, and macOS systems.

April 1612 min
Developer workstation displaying .NET development environment with security update notifications
Security Update
.NET Framework

KB5086096 — Security Update for .NET 8.0 Runtime and SDK

KB5086096 is a security update that addresses multiple vulnerabilities in .NET 8.0 runtime and SDK components, including CVE-2026-0145 and CVE-2026-0146, affecting cross-platform deployments on Windows, Linux, and macOS.

April 1612 min