KB5086096 — Security Update for .NET 8.0 Runtime and SDK

Overview

KB5086096 is a critical security update released on April 16, 2026, for .NET 8.0 runtime and SDK components. This update addresses multiple high-severity vulnerabilities that affect applications running on Windows, Linux, and macOS platforms. The update is part of Microsoft's regular security update cycle and should be applied immediately to all .NET 8.0 deployments.

Security Vulnerabilities Addressed

This update resolves several critical security vulnerabilities in the .NET 8.0 runtime and development tools:

CVE-2026-0145: .NET Runtime Remote Code Execution

A critical vulnerability in the System.Text.Json serialization component allows remote attackers to execute arbitrary code by sending specially crafted JSON data to vulnerable applications. This vulnerability affects applications that deserialize untrusted JSON input and has a CVSS score of 9.8. The vulnerability exists in the polymorphic type handling mechanism where insufficient validation allows attackers to instantiate arbitrary types during deserialization.

CVE-2026-0146: .NET SDK Elevation of Privilege

A high-severity vulnerability in the .NET SDK allows local attackers to gain elevated privileges during package restoration operations. This vulnerability affects development environments and build systems where NuGet packages are restored with elevated privileges. Attackers could exploit this by placing malicious packages in local package sources or by compromising package restoration scripts.

CVE-2026-0147: ASP.NET Core Information Disclosure

A medium-severity vulnerability in ASP.NET Core applications could allow attackers to obtain sensitive information through detailed error messages. This affects applications running in development mode or with detailed error reporting enabled in production environments. The vulnerability could expose database connection strings, API keys, and other sensitive configuration data.

Affected Systems and Versions

This security update applies to all installations of .NET 8.0 across supported platforms:

Technical Implementation Details

The security fixes in KB5086096 implement several layers of protection:

Enhanced Input Validation

The updated System.Text.Json component includes comprehensive input validation that prevents malicious payloads from exploiting deserialization vulnerabilities. This includes strict type checking, bounds validation, and sanitization of polymorphic type information.

Privilege Separation

The SDK update implements proper privilege separation during package operations, ensuring that package restoration and build processes cannot be exploited to gain system-level access. This includes sandboxing of custom MSBuild targets and validation of package sources.

Error Message Sanitization

ASP.NET Core applications now include improved error handling that prevents sensitive information from being exposed through exception details while maintaining useful debugging information for developers.

Deployment Considerations

Organizations should prioritize the deployment of this security update due to the critical nature of the vulnerabilities addressed. The update can be deployed through existing software distribution mechanisms and does not require application code changes in most cases.

Testing Recommendations

Before deploying to production environments, organizations should test applications that use custom serialization logic, third-party NuGet packages, or complex MSBuild configurations. Pay particular attention to applications that deserialize JSON from external sources or use custom JsonConverter implementations.

Rollback Procedures

If issues are encountered after deployment, the update can be rolled back by reinstalling the previous .NET 8.0 version. However, this should only be done as a temporary measure while addressing compatibility issues, as it will leave systems vulnerable to the security issues addressed by this update.