.NET and .NET Framework May 2026 Updates: Key Questions Answered
Welcome to our breakdown of the May 2026 servicing releases for .NET and .NET Framework. This month brings critical security fixes and non-security improvements across multiple versions. Below, we answer the most important questions about what’s new, which vulnerabilities were patched, and how to update your systems. Let’s dive in.
1. What is included in the May 2026 servicing releases for .NET and .NET Framework?
The May 2026 updates provide both security and non-security fixes for .NET and .NET Framework. Key highlights include patches for four CVEs: two elevation of privilege vulnerabilities (CVE-2026-32177 and CVE-2026-35433), a tampering vulnerability (CVE-2026-32175), and a denial of service vulnerability (CVE-2026-42899). These updates apply to .NET 10.0, 9.0, and 8.0, as well as multiple .NET Framework versions (3.5, 4.6.2, 4.7, 4.7.2, 4.8, and 4.8.1). Additionally, non-security fixes improve reliability and performance. The release also updates container images, Linux packages, and installers for each supported .NET version.
2. Which security vulnerabilities were fixed this month?
Four CVEs were addressed in this servicing update. CVE-2026-32177 is an elevation of privilege vulnerability affecting .NET 10.0, 9.0, 8.0, and multiple .NET Framework versions. CVE-2026-35433, another elevation of privilege flaw, targets .NET 10.0, 9.0, and 8.0. CVE-2026-32175 is a tampering vulnerability that impacts the same three .NET versions. Finally, CVE-2026-42899 is a denial of service vulnerability affecting .NET 10.0, 9.0, and 8.0. For full details, see our discussion on affected versions below. It is strongly recommended to update all affected environments to mitigate these risks.
3. Which versions of .NET are affected by CVE-2026-32177?
CVE-2026-32177, an elevation of privilege vulnerability, applies broadly across the .NET ecosystem. It impacts .NET 10.0, .NET 9.0, and .NET 8.0. Additionally, it affects multiple .NET Framework versions: 3.5, 4.6.2, 4.7, 4.7.2, 4.8, and 4.8.1. Organizations running any of these versions should prioritize updating to the latest servicing releases: .NET 10.0.8, .NET 9.0.16, or .NET 8.0.27, along with the corresponding .NET Framework updates. The other three CVEs (CVE-2026-35433, CVE-2026-32175, CVE-2026-42899) only affect .NET 10.0, 9.0, and 8.0, so .NET Framework users need only address CVE-2026-32177 this month.
4. What are the updated build numbers for .NET 10, 9, and 8?
Each supported .NET version has received a specific servicing release. .NET 10.0 is now at build 10.0.8. .NET 9.0 updates to 9.0.16. .NET 8.0 moves to 8.0.27. These builds include all the security and non-security fixes mentioned above. Changelogs for each are available: ASP.NET Core 10.0.8, Entity Framework Core 10.0.8, and the runtime for all three versions (10.0.8, 9.0.16, 8.0.27). You can find detailed release notes and known issues for each version by visiting the official .NET blog or the release notes page.
5. Are there any known issues with the new releases?
As with any servicing update, there may be known issues that the team has documented. For .NET 10.0, 9.0, and 8.0, separate known issues pages are available. These pages list any bugs or regressions that have been identified and provide workarounds or guidance. It is important to review these before deploying the update to production environments. You can access them via the .NET 10.0 known issues, .NET 9.0 known issues, and .NET 8.0 known issues pages.
6. How can I download the latest .NET updates?
You can obtain the May 2026 servicing releases from multiple sources. For .NET 10.0.8, .NET 9.0.16, and .NET 8.0.27, download installers and binaries directly from the official .NET download page. Container images are also updated and available on Docker Hub for each version. If you use Linux, package feeds for each major version (10.0, 9.0, 8.0) provide the updates. Simply run your package manager to pull the latest. For .NET Framework updates, visit the Windows Update catalog or use Windows Server Update Services (WSUS). Always ensure you back up your applications before upgrading.
7. What about .NET Framework updates in May 2026?
May 2026 brings both security and non-security updates for .NET Framework. The only security vulnerability affecting .NET Framework this month is CVE-2026-32177, an elevation of privilege issue. This impacts all supported .NET Framework versions: 3.5, 4.6.2, 4.7, 4.7.2, 4.8, and 4.8.1. Non-security fixes are also included to improve stability and performance. For a detailed list of changes, please refer to the .NET Framework release notes. You can apply these updates through Windows Update, Microsoft Update Catalog, or by downloading the standalone installer. We recommend updating as soon as possible to keep your environment secure.
8. How can I provide feedback on this release?
Your feedback helps improve future servicing updates. If you encounter any issues or have suggestions, please share them in the Release feedback issue on GitHub for this monthly release. The .NET team actively monitors these discussions and uses the input to prioritize fixes. You can also report bugs via the official .NET repository or participate in community forums. Don’t forget to update your systems today. We’ll see you next month with another servicing update!