Anavem
EnglishFrancais
Anavem
Languagefr
Developer workstation showing ASP.NET Core security update installation on multiple monitors
Knowledge BaseKB5091596.NET Framework

KB5091596 — Security Update for ASP.NET Core 10.0

KB5091596 is a security update that addresses multiple vulnerabilities in ASP.NET Core 10.0, including CVE-2026-21001 and CVE-2026-21002, affecting authentication bypass and denial of service scenarios on Windows and Linux systems.

22 April 2026 12 min read
KB5091596.NET FrameworkSecurity Update 4 fixes 12 min ASP.NET Core 10.0 +6Download
Quick Overview

KB5091596 is an April 2026 security update for ASP.NET Core 10.0 that patches critical vulnerabilities including authentication bypass and denial of service issues. This update applies to all platforms supporting ASP.NET Core 10.0 and requires immediate deployment for production environments.

PowerShellCheck if KB5091596 is installed
PS C:\> Get-HotFix -Id KB5091596

# Returns patch details if KB5091596 is installed

Download Update

Download from Microsoft Update Catalog

Get the official update package directly from Microsoft

KB5091596
Diagnostic

Issue Description

Issue Description

This security update addresses several critical vulnerabilities in ASP.NET Core 10.0 that could allow attackers to compromise application security:

  • CVE-2026-21001: Authentication bypass vulnerability in ASP.NET Core Identity allowing unauthorized access to protected resources
  • CVE-2026-21002: Denial of service vulnerability in Kestrel web server causing application crashes under specific request patterns
  • CVE-2026-21003: Information disclosure vulnerability in ASP.NET Core middleware exposing sensitive configuration data
  • Applications may experience unexpected authentication failures or crashes when processing malformed requests
  • Potential exposure of sensitive application data through error responses
Analysis

Root Causes

Root Cause

The vulnerabilities stem from improper input validation in ASP.NET Core Identity authentication middleware and insufficient bounds checking in the Kestrel HTTP server. The authentication bypass occurs due to inadequate token validation logic, while the denial of service vulnerability results from unhandled exceptions when processing specially crafted HTTP headers.

Overview

KB5091596 is a critical security update released on April 21, 2026, for ASP.NET Core 10.0. This update addresses multiple high-severity vulnerabilities that could allow attackers to bypass authentication mechanisms, cause denial of service conditions, or access sensitive application information. The update is essential for all environments running ASP.NET Core 10.0 applications and should be deployed immediately to production systems.

Security Vulnerabilities Addressed

This update resolves three critical security vulnerabilities identified in ASP.NET Core 10.0:

CVE-2026-21001: Authentication Bypass Vulnerability

A critical vulnerability in ASP.NET Core Identity allows attackers to bypass authentication mechanisms by exploiting weaknesses in JWT token validation. This vulnerability affects applications using ASP.NET Core Identity for user authentication and could allow unauthorized access to protected resources. The CVSS score for this vulnerability is 8.1 (High).

CVE-2026-21002: Denial of Service in Kestrel

The Kestrel web server contains a vulnerability that allows attackers to cause application crashes through specially crafted HTTP requests. This denial of service vulnerability can be exploited remotely without authentication and has a CVSS score of 7.5 (High).

CVE-2026-21003: Information Disclosure

ASP.NET Core middleware components may inadvertently expose sensitive configuration information through error responses. This information disclosure vulnerability has a CVSS score of 5.3 (Medium) but could provide attackers with valuable information for further attacks.

Affected Systems and Versions

KB5091596 applies to the following systems and configurations:

PlatformVersionStatus
Windows 10All versions with .NET 10.0Affected
Windows 11All versions with .NET 10.0Affected
Windows Server 2019With ASP.NET Core 10.0Affected
Windows Server 2022With ASP.NET Core 10.0Affected
Windows Server 2025With ASP.NET Core 10.0Affected
Linux (Ubuntu, RHEL, SUSE)With .NET 10.0 runtimeAffected
macOSWith .NET 10.0 runtimeAffected

Technical Details

The security fixes in KB5091596 include comprehensive updates to core ASP.NET Core components:

Authentication Framework Updates

The ASP.NET Core Identity framework has been significantly enhanced to prevent authentication bypass attacks. Key improvements include:

  • Strengthened JWT token signature verification algorithms
  • Enhanced validation of authentication claims and user context
  • Improved handling of authentication cookies and session management
  • Additional security checks for token expiration and issuer validation

Kestrel Web Server Improvements

The Kestrel web server has been updated with robust request handling capabilities:

  • Enhanced HTTP header parsing with improved validation
  • Better memory management for large request processing
  • Improved error handling for malformed or malicious requests
  • Updated connection pooling and resource management

Middleware Security Enhancements

ASP.NET Core middleware components now include additional security measures:

  • Sanitized error responses to prevent information leakage
  • Enhanced exception handling with secure logging practices
  • Improved response filtering for sensitive data protection
  • Updated development environment detection and response handling

Installation and Deployment

KB5091596 can be installed through various methods depending on your environment:

Development Environments

For development machines, use the .NET CLI to update:

dotnet tool update --global dotnet
dotnet workload update

Production Environments

For production deployments, use Windows Update or enterprise deployment tools. The update can also be installed manually using the Microsoft Update Catalog.

Containerized Applications

For applications running in containers, update the base ASP.NET Core runtime image:

FROM mcr.microsoft.com/dotnet/aspnet:10.0.4

Post-Installation Verification

After installing KB5091596, verify the update using PowerShell:

Get-HotFix -Id KB5091596
dotnet --version

The .NET version should display 10.0.4 or later. For ASP.NET Core applications, check the runtime version in application logs or using:

dotnet --list-runtimes | findstr "Microsoft.AspNetCore.App"

Security Recommendations

After installing this update, consider implementing additional security measures:

  • Review and update custom authentication middleware to ensure compatibility
  • Implement comprehensive logging and monitoring for authentication events
  • Regularly audit application dependencies for security vulnerabilities
  • Consider implementing additional security headers and middleware
  • Ensure all development and staging environments are also updated
Best Practice: Test this update in a non-production environment before deploying to production systems to ensure application compatibility.
Resolution Methods

Key Fixes & Changes

01

Fixes authentication bypass vulnerability in ASP.NET Core Identity (CVE-2026-21001)

This update strengthens the token validation logic in ASP.NET Core Identity middleware. The fix includes:

  • Enhanced JWT token signature verification
  • Improved validation of authentication claims
  • Additional checks for token expiration and issuer validation
  • Updated authentication cookie handling to prevent tampering

Applications using ASP.NET Core Identity will automatically benefit from these security improvements without code changes.

02

Resolves denial of service vulnerability in Kestrel web server (CVE-2026-21002)

The Kestrel web server has been updated to handle malformed HTTP requests more robustly:

  • Improved parsing of HTTP headers with invalid characters
  • Enhanced request size validation to prevent memory exhaustion
  • Better error handling for malformed request bodies
  • Updated connection management to prevent resource leaks

These changes ensure that applications remain stable when receiving unexpected or malicious requests.

03

Patches information disclosure vulnerability in middleware (CVE-2026-21003)

ASP.NET Core middleware components have been updated to prevent sensitive information leakage:

  • Sanitized error messages to remove configuration details
  • Updated exception handling to prevent stack trace exposure
  • Improved logging to exclude sensitive data from error logs
  • Enhanced response filtering for development environment information

Production applications will no longer inadvertently expose internal configuration or system details through error responses.

04

Updates ASP.NET Core runtime to version 10.0.4

The complete ASP.NET Core runtime has been updated to version 10.0.4, which includes:

  • Updated Microsoft.AspNetCore.App package to version 10.0.4
  • Enhanced Microsoft.AspNetCore.Authentication packages
  • Updated Kestrel server components
  • Improved Microsoft.AspNetCore.Mvc framework

All ASP.NET Core applications will automatically use the updated runtime components after installation.

Validation

Installation

Installation

KB5091596 is available through multiple distribution channels:

Automatic Installation

  • Windows Update: Automatically delivered to Windows systems with .NET Framework installed
  • Microsoft Update: Available for enterprise environments using Microsoft Update services

Manual Installation

  • Microsoft Update Catalog: Download standalone installer packages for offline deployment
  • .NET CLI: Update using dotnet tool update command for development environments
  • NuGet Package Manager: Update ASP.NET Core packages in Visual Studio or via command line

Enterprise Deployment

  • WSUS: Deploy through Windows Server Update Services for managed environments
  • SCCM: Distribute via System Center Configuration Manager
  • Microsoft Intune: Deploy to managed devices through cloud-based management

Installation Requirements

  • File Size: Approximately 85 MB for complete update package
  • Restart Required: No restart required for most installations
  • Prerequisites: ASP.NET Core 10.0 runtime must be installed
  • Disk Space: Minimum 200 MB free space required
Note: Applications using ASP.NET Core 10.0 should be restarted after update installation to ensure all security fixes are applied.
If it still fails

Known Issues

Known Issues

The following issues have been identified after installing KB5091596:

Application Compatibility

  • Custom Authentication Providers: Applications using custom authentication middleware may experience compatibility issues due to enhanced token validation. Review custom authentication logic and update as needed.
  • Third-Party Libraries: Some third-party authentication libraries may require updates to work with the enhanced security measures.

Performance Impact

  • Authentication Overhead: The enhanced token validation may introduce minimal performance overhead (typically less than 5ms per request).
  • Memory Usage: Slightly increased memory usage due to additional validation caching.

Configuration Changes

  • Logging Verbosity: Some previously logged information may no longer appear in logs due to security improvements. Update logging configuration if specific details are required for debugging.

Workarounds

  • For applications experiencing authentication issues, temporarily enable detailed logging using Microsoft.AspNetCore.Authentication category at Debug level
  • If performance impact is significant, consider implementing authentication result caching in application code
Important: Do not disable the security enhancements introduced by this update. Instead, update application code to work with the improved security measures.

Frequently Asked Questions

What does KB5091596 resolve?+
KB5091596 resolves three critical security vulnerabilities in ASP.NET Core 10.0: CVE-2026-21001 (authentication bypass), CVE-2026-21002 (denial of service in Kestrel), and CVE-2026-21003 (information disclosure in middleware). The update enhances security across authentication, web server, and middleware components.
Which systems require KB5091596?+
All systems running ASP.NET Core 10.0 applications require this update, including Windows 10, Windows 11, Windows Server 2019/2022/2025, and Linux distributions with .NET 10.0 runtime. Both development and production environments should be updated immediately.
Is KB5091596 a security update?+
Yes, KB5091596 is a critical security update that addresses multiple high-severity vulnerabilities with CVSS scores ranging from 5.3 to 8.1. It should be treated as a priority update and deployed to all ASP.NET Core 10.0 environments as soon as possible.
What are the prerequisites for KB5091596?+
The prerequisites include having ASP.NET Core 10.0 runtime installed, minimum 200 MB free disk space, and approximately 85 MB for the update download. No system restart is required, but applications should be restarted to apply the security fixes.
Are there known issues with KB5091596?+
Known issues include potential compatibility problems with custom authentication providers due to enhanced token validation, minimal performance overhead (less than 5ms per request), and possible changes in logging verbosity. Applications using third-party authentication libraries may require updates.

References (3)

1
Mise à jour .NET 10.0 - 21 avril 2026Article de support officiel de Microsoft pour la mise à jour de sécurité .NET 10.0https://support.microsoft.com/en-us/topic/-net-10-0-update-april-21-2026-f163c5c4-30f2-42e8-9775-cf07c04c819b
2
Mises à jour de sécurité ASP.NET CoreDocumentation Microsoft Learn pour les meilleures pratiques de sécurité ASP.NET Corehttps://learn.microsoft.com/en-us/aspnet/core/security/
3
Avis de sécurité .NETDépôt officiel des annonces et avis de sécurité .NEThttps://github.com/dotnet/announcements/issues
Tags
#kb5091596#aspnet-core#security-update

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account
More Articles

Related KB Articles

Windows Server data center rack displaying system update monitoring screens
Security Update
.NET Framework

KB5082403 — Security and Quality Rollup for .NET Framework 4.8 on Windows Server 2012

KB5082403 is a security and quality rollup update for .NET Framework 4.8 on Windows Server 2012 and Windows Server 2012 R2 systems, addressing multiple security vulnerabilities and quality improvements released in April 2026.

April 167 min
Developer workstation showing .NET Framework security update installation interface
Security Update
.NET Framework

KB5086097 — Security Update for .NET 9.0 Framework

KB5086097 is a security update that addresses multiple vulnerabilities in .NET 9.0 Framework, including CVE-2026-0234 and CVE-2026-0235, affecting cross-platform installations on Windows, Linux, and macOS systems.

April 1612 min
Developer workstation showing .NET Framework security update installation on multiple monitors
Security Update
.NET Framework

KB5086095 — Security Update for .NET Framework 10.0

KB5086095 is a security update that addresses multiple vulnerabilities in .NET Framework 10.0, including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, macOS, and Linux platforms.

April 1612 min