ANAVEM
FR
Reference
Developer workstation showing .NET Framework security update installation process
KB5077862.NET Framework.NET Framework

KB5077862 — Security Update for .NET 10.0 Framework

KB5077862 is a security update for .NET 10.0 Framework that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, macOS, and Linux platforms.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
11 Mar 202612 min read0 views

KB5077862 is a security update for .NET 10.0 Framework that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, macOS, and Linux platforms.

Overview

KB5077862 is a February 2026 security update for .NET 10.0 Framework addressing critical vulnerabilities in the runtime and ASP.NET Core components. This update resolves remote code execution and denial of service vulnerabilities that could affect cross-platform .NET applications.

In This Article

  1. Issue Description
  2. Root Cause
  3. 1Fixes remote code execution in .NET runtime deserialization (CVE-2026-0847)
  4. 2Resolves denial of service in ASP.NET Core request processing (CVE-2026-0848)
  5. 3Patches information disclosure in Entity Framework Core (CVE-2026-0849)
  6. 4Updates cryptographic libraries for enhanced security
  7. Installation
  8. Known Issues
  9. Frequently Asked Questions

Applies to

.NET 10.0 on Windows 10Windows 11Windows Server 2019Windows Server 2022Windows Server 2025macOS 12+Linux distributions

Issue Description

Issue Description

This security update addresses several vulnerabilities in .NET 10.0 Framework that could allow attackers to execute arbitrary code or cause denial of service conditions:

  • CVE-2026-0847: Remote code execution vulnerability in .NET runtime deserialization
  • CVE-2026-0848: Denial of service vulnerability in ASP.NET Core request processing
  • CVE-2026-0849: Information disclosure vulnerability in Entity Framework Core
  • Applications may crash unexpectedly when processing malformed input data
  • Web applications using ASP.NET Core may become unresponsive under specific request patterns
  • Entity Framework queries may expose sensitive data through error messages

Root Cause

Root Cause

The vulnerabilities stem from improper input validation in the .NET runtime's binary formatter, insufficient bounds checking in ASP.NET Core's request parser, and inadequate error handling in Entity Framework Core's query execution engine. These issues allow malicious actors to exploit deserialization processes, overwhelm request processing pipelines, and extract sensitive information from database error responses.

1

Fixes remote code execution in .NET runtime deserialization (CVE-2026-0847)

This update patches the binary formatter in System.Runtime.Serialization to properly validate serialized data before deserialization. The fix implements enhanced type checking and prevents execution of arbitrary code through malicious payload injection. Applications using BinaryFormatter, NetDataContractSerializer, or SoapFormatter are protected against remote code execution attacks.

Important: Applications relying on legacy serialization methods should migrate to safer alternatives like System.Text.Json or MessagePack.
2

Resolves denial of service in ASP.NET Core request processing (CVE-2026-0848)

The update addresses a vulnerability in ASP.NET Core's HTTP request parser that could be exploited to cause excessive memory consumption and application crashes. The fix implements proper bounds checking for request headers and body content, preventing attackers from sending specially crafted requests that consume excessive server resources. This affects applications using Microsoft.AspNetCore.Server.Kestrel and Microsoft.AspNetCore.Server.IIS.

Key improvements include:

  • Enhanced header size validation
  • Improved memory management for large request bodies
  • Rate limiting for concurrent request processing
3

Patches information disclosure in Entity Framework Core (CVE-2026-0849)

This fix addresses an information disclosure vulnerability in Entity Framework Core where detailed error messages could expose sensitive database schema information and connection strings. The update modifies error handling in Microsoft.EntityFrameworkCore to sanitize error messages in production environments while maintaining debugging capabilities in development mode.

Changes include:

  • Sanitized SQL error messages in production builds
  • Removal of connection string details from exception traces
  • Enhanced logging controls for sensitive data exposure
4

Updates cryptographic libraries for enhanced security

The update includes improvements to cryptographic components in System.Security.Cryptography to address potential timing attacks and strengthen encryption algorithms. This includes updates to RSA key generation, AES encryption implementations, and certificate validation processes across all supported platforms.

Installation

Installation

KB5077862 is available through multiple distribution channels depending on your platform and deployment scenario:

Windows Systems

  • Windows Update: Automatic delivery begins February 12, 2026
  • Microsoft Update Catalog: Manual download available for offline installation
  • WSUS/SCCM: Available for enterprise deployment on February 11, 2026

Cross-Platform Installation

  • .NET CLI: dotnet --version should show 10.0.3 after update
  • Visual Studio: Update through Visual Studio Installer
  • Package Managers: Available via NuGet, apt, yum, and Homebrew

Prerequisites

  • .NET 10.0.0 or later must be installed
  • Windows systems require Windows Update Agent 7.6 or later
  • Linux systems require package manager with HTTPS support
  • macOS systems require macOS 12.0 or later

Installation Details

  • File Size: 85-120 MB depending on platform
  • Restart Required: No for most scenarios, yes for IIS-hosted applications
  • Installation Time: 2-5 minutes typical

To verify installation, use:

dotnet --list-runtimes

The output should include Microsoft.NETCore.App 10.0.3 or later.

Known Issues

Known Issues

The following issues have been identified after installing KB5077862:

Application Compatibility

  • Legacy Serialization: Applications using deprecated BinaryFormatter may experience compatibility issues. Migrate to System.Text.Json or implement custom serialization.
  • Third-party Libraries: Some third-party packages may require updates to work with the enhanced security validations.

Performance Impact

  • Deserialization Performance: Applications with heavy serialization workloads may experience 5-10% performance decrease due to enhanced validation.
  • ASP.NET Core: Request processing may show slight latency increase (1-2ms) due to additional security checks.

Workarounds

If applications fail after update:

  1. Check application logs for serialization-related errors
  2. Update third-party NuGet packages to latest versions
  3. Consider enabling compatibility mode in appsettings.json:
{
  "RuntimeOptions": {
    "LegacySerializationSupport": true
  }
}
Important: Legacy serialization support should only be used temporarily while migrating to secure alternatives.

Overview

KB5077862 is a critical security update for .NET 10.0 Framework released on February 10, 2026. This update addresses multiple high-severity vulnerabilities affecting applications running on Windows, macOS, and Linux platforms. The update is part of Microsoft's regular security update cycle and includes fixes for remote code execution, denial of service, and information disclosure vulnerabilities.

Security Vulnerabilities Addressed

This update resolves three critical security vulnerabilities:

CVE-2026-0847: Remote Code Execution in .NET Runtime

A critical vulnerability in the .NET runtime's deserialization process could allow attackers to execute arbitrary code by sending malicious serialized data to applications. This affects applications using BinaryFormatter, NetDataContractSerializer, or SoapFormatter classes. The vulnerability has a CVSS score of 9.8 and requires immediate patching.

CVE-2026-0848: Denial of Service in ASP.NET Core

A high-severity vulnerability in ASP.NET Core's request processing pipeline could allow attackers to cause application crashes and service unavailability. Malicious actors could send specially crafted HTTP requests that consume excessive memory and CPU resources, leading to denial of service conditions. This affects web applications and APIs built with ASP.NET Core.

CVE-2026-0849: Information Disclosure in Entity Framework Core

A medium-severity vulnerability in Entity Framework Core could expose sensitive database information through error messages. Under certain conditions, detailed error messages might reveal database schema details, connection strings, or other sensitive configuration data to unauthorized users.

Affected Systems and Versions

This security update applies to systems running .NET 10.0 across multiple platforms:

PlatformSupported VersionsUpdate Status
Windows 10Version 1909 and laterAvailable via Windows Update
Windows 11All versionsAvailable via Windows Update
Windows Server 2019All buildsAvailable via WSUS/SCCM
Windows Server 2022All buildsAvailable via WSUS/SCCM
Windows Server 2025All buildsAvailable via WSUS/SCCM
macOS12.0 and laterAvailable via Homebrew/.NET CLI
LinuxUbuntu 20.04+, RHEL 8+, SUSE 15+Available via package managers

Technical Details

Runtime Security Enhancements

The update implements several security improvements in the .NET runtime:

  • Enhanced Type Validation: Stricter type checking during deserialization prevents malicious type substitution attacks
  • Memory Safety: Improved bounds checking prevents buffer overflow conditions
  • Cryptographic Updates: Updated cryptographic libraries with stronger algorithms and timing attack mitigations

ASP.NET Core Improvements

Key security enhancements in ASP.NET Core include:

  • Request Validation: Enhanced HTTP request parsing with size limits and validation
  • Resource Management: Improved memory management for large request processing
  • Rate Limiting: Built-in protection against request flooding attacks

Entity Framework Core Updates

Security improvements in Entity Framework Core:

  • Error Sanitization: Production error messages no longer expose sensitive database information
  • Connection Security: Enhanced protection of connection strings in error traces
  • Query Safety: Improved parameter validation prevents SQL injection attempts

Installation and Deployment

Automatic Updates

For Windows systems, KB5077862 is delivered automatically through Windows Update starting February 12, 2026. Enterprise environments using WSUS or Microsoft System Center Configuration Manager (SCCM) can deploy the update beginning February 11, 2026.

Manual Installation

Developers and system administrators can manually install the update using several methods:

.NET CLI Installation

# Update .NET runtime
dotnet --version

# Install specific version
dotnet install --version 10.0.3

Package Manager Installation

Ubuntu/Debian:

sudo apt update
sudo apt install dotnet-runtime-10.0

RHEL/CentOS:

sudo yum update dotnet-runtime-10.0

macOS (Homebrew):

brew update
brew upgrade dotnet

Enterprise Deployment

Enterprise environments should test the update in development and staging environments before production deployment. The update is compatible with existing deployment pipelines and container images.

Post-Installation Verification

After installing KB5077862, verify the update using these commands:

# Check installed .NET versions
dotnet --list-runtimes

# Verify specific runtime version
dotnet --version

# Check for security updates
dotnet --info

The output should show Microsoft.NETCore.App 10.0.3 or later, indicating successful installation of the security update.

Impact Assessment

Security Impact

Organizations should prioritize this update due to the critical nature of the vulnerabilities addressed. The remote code execution vulnerability (CVE-2026-0847) poses the highest risk and could lead to complete system compromise if exploited.

Performance Considerations

The security enhancements may introduce minimal performance overhead:

  • Deserialization operations: 5-10% performance decrease
  • ASP.NET Core request processing: 1-2ms additional latency
  • Entity Framework queries: Negligible impact in most scenarios

Compatibility Assessment

Most applications will experience seamless compatibility with KB5077862. However, applications using deprecated serialization methods may require code modifications or configuration changes.

Frequently Asked Questions

What does KB5077862 resolve?
KB5077862 resolves three critical security vulnerabilities in .NET 10.0 Framework: CVE-2026-0847 (remote code execution in runtime deserialization), CVE-2026-0848 (denial of service in ASP.NET Core), and CVE-2026-0849 (information disclosure in Entity Framework Core).
Which systems require KB5077862?
KB5077862 is required for all systems running .NET 10.0 Framework, including Windows 10/11, Windows Server 2019/2022/2025, macOS 12+, and supported Linux distributions (Ubuntu 20.04+, RHEL 8+, SUSE 15+).
Is KB5077862 a security update?
Yes, KB5077862 is a critical security update that addresses multiple high-severity vulnerabilities with CVSS scores ranging from 6.5 to 9.8. It should be installed immediately to protect against remote code execution and denial of service attacks.
What are the prerequisites for KB5077862?
Prerequisites include .NET 10.0.0 or later installed on the system, Windows Update Agent 7.6 or later for Windows systems, package managers with HTTPS support for Linux, and macOS 12.0 or later for Mac systems.
Are there known issues with KB5077862?
Known issues include potential compatibility problems with applications using deprecated BinaryFormatter, 5-10% performance decrease in serialization-heavy workloads, and possible third-party library compatibility issues requiring package updates.

References (3)

1
Mise à jour de sécurité .NET 10.0 février 2026Article de support officiel de Microsoft pour la mise à jour de sécurité .NET 10.0https://support.microsoft.com/en-us/topic/-net-10-0-update-february-10-2026-8f92b4a7-5f32-4943-a6aa-4abac452bb34
2
Avis de sécurité .NETDépôt officiel des annonces et avis de sécurité .NEThttps://github.com/dotnet/announcements/issues
3
Centre de réponse de sécurité MicrosoftCentre de réponse de sécurité Microsoft pour les bulletins et mises à jour de sécuritéhttps://msrc.microsoft.com/
#kb5077862#dotnet-10#security-update

About the Author

Emanuel DE ALMEIDA

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...

Related KB Articles

Developer workstation displaying .NET security update installation and code review
KB5081276
.NET Framework
KB Article

KB5081276 — Security Update for .NET 10.0

KB5081276 is a security update for .NET 10.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.

Mar 1112 min
Developer workstation showing .NET development environment with security update notifications
KB5081278
.NET Framework
KB Article

KB5081278 — Security Update for .NET 9.0

KB5081278 is a security update for .NET 9.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.

Mar 1112 min
Developer workstation showing .NET security update installation process
KB5081277
.NET Framework
KB Article

KB5081277 — Security Update for .NET 8.0 Runtime and ASP.NET Core

KB5081277 is a security update for .NET 8.0 runtime and ASP.NET Core that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS.

Mar 1112 min
Developer workstation showing .NET development environment with security update notifications
KB5077863
.NET Framework
KB Article

KB5077863 — Security Update for .NET 8.0 Runtime and SDK

KB5077863 is a February 2026 security update that addresses multiple vulnerabilities in .NET 8.0 runtime and SDK components, affecting applications running on Windows, Linux, and macOS platforms.

Mar 1112 min