KB5081276 is a March 2026 security update for .NET 10.0 that resolves critical vulnerabilities in the runtime and ASP.NET Core components. This update addresses remote code execution and denial of service vulnerabilities affecting cross-platform .NET applications.
KB5081276.NET Framework.NET Framework
KB5081276 — Security Update for .NET 10.0
KB5081276 is a security update for .NET 10.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.
Emanuel DE ALMEIDAKB5081276 is a security update for .NET 10.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.
Overview
In This Article
- Issue Description
- Root Cause
- 1Fixes remote code execution vulnerability in .NET runtime (CVE-2026-0847)
- 2Resolves denial of service vulnerability in ASP.NET Core (CVE-2026-0848)
- 3Patches information disclosure vulnerability in Entity Framework Core (CVE-2026-0849)
- 4Updates .NET runtime to version 10.0.3
- Installation
- Known Issues
- Frequently Asked Questions
Applies to
.NET 10.0 on Windows 10Windows 11Windows Server 2022Windows Server 2025Linux distributionsmacOS 12.0+ASP.NET Core 10.0
Issue Description
Issue Description
This security update addresses the following vulnerabilities in .NET 10.0:
- CVE-2026-0847: Remote code execution vulnerability in .NET runtime deserialization
- CVE-2026-0848: Denial of service vulnerability in ASP.NET Core request processing
- CVE-2026-0849: Information disclosure vulnerability in Entity Framework Core
- Applications may experience unexpected crashes or security bypass under specific conditions
- ASP.NET Core applications may become unresponsive when processing malformed requests
- Entity Framework queries may expose sensitive data in error messages
Root Cause
Root Cause
The vulnerabilities stem from improper input validation in the .NET runtime's deserialization process, insufficient request validation in ASP.NET Core middleware, and inadequate error handling in Entity Framework Core query execution. These issues allow attackers to exploit memory corruption, cause service disruption, or access sensitive information through crafted payloads.
1
Fixes remote code execution vulnerability in .NET runtime (CVE-2026-0847)
This update patches the .NET runtime's binary serialization component to prevent exploitation through malicious payloads. The fix implements enhanced validation for deserialized objects and adds bounds checking for memory operations. Applications using BinaryFormatter or custom serialization are protected against arbitrary code execution attacks.
Note: Applications using deprecated serialization methods should migrate to secure alternatives like
System.Text.Json.2
Resolves denial of service vulnerability in ASP.NET Core (CVE-2026-0848)
The ASP.NET Core request processing pipeline has been updated to properly validate incoming HTTP requests and prevent resource exhaustion attacks. The fix includes improved request size limits, enhanced header validation, and better memory management for large payloads. Web applications are now protected against crafted requests that could cause service unavailability.
// Updated request validation in ASP.NET Core 10.0.3
app.UseRequestSizeLimit(maxRequestBodySize: 30000000);3
Patches information disclosure vulnerability in Entity Framework Core (CVE-2026-0849)
Entity Framework Core's error handling has been enhanced to prevent sensitive information leakage in exception messages. The update sanitizes database connection strings, query parameters, and schema information from error outputs. Applications using EF Core are protected against accidental exposure of database credentials or internal system details.
Important: Review application logs after installing this update to ensure proper error handling.
4
Updates .NET runtime to version 10.0.3
The core .NET runtime has been updated to version 10.0.3 with improved garbage collection, enhanced JIT compilation, and better cross-platform compatibility. Performance optimizations include reduced memory allocation in hot paths and improved startup times for containerized applications. The update maintains backward compatibility with existing .NET 10.0 applications.
Installation
Installation
KB5081276 is available through multiple distribution channels:
Automatic Installation
- Windows Update: Delivered automatically to systems with .NET 10.0 installed
- Microsoft Update: Available for enterprise environments with centralized update management
Manual Installation
- Microsoft Download Center: Direct download packages for Windows, Linux, and macOS
- NuGet Package Manager: Updated runtime packages available via NuGet
- Docker Images: Updated base images available on Microsoft Container Registry
Enterprise Deployment
- WSUS: Available for Windows Server Update Services deployment
- SCCM: Supported through System Center Configuration Manager
- Package Managers: Available via apt, yum, brew, and other platform-specific managers
Prerequisites
- .NET 10.0 Runtime or SDK must be installed
- Windows 10 version 1903 or later, Windows 11, Windows Server 2022/2025
- Linux: glibc 2.23+ or musl 1.2.3+
- macOS 12.0 or later
- Restart required: No for runtime updates, Yes for SDK updates
- Download size: 85-120 MB depending on platform
Verify installation using:
dotnet --version
# Should display 10.0.3 or laterKnown Issues
Known Issues
The following issues have been reported after installing KB5081276:
Application Compatibility
- Issue: Applications using legacy serialization may fail to start
- Workaround: Update application code to use supported serialization methods or add compatibility flags
- Affected: Applications using
BinaryFormatterwith custom serialization
Performance Impact
- Issue: Slight performance decrease in deserialization-heavy applications
- Impact: 2-5% performance reduction due to enhanced validation
- Mitigation: Consider caching deserialized objects or optimizing serialization patterns
Container Deployment
- Issue: Docker containers may require base image updates
- Resolution: Pull latest Microsoft .NET base images from MCR
- Command:
docker pull mcr.microsoft.com/dotnet/runtime:10.0
Linux Package Conflicts
- Issue: Package manager conflicts on some Linux distributions
- Workaround: Use Microsoft package repositories or install via snap/flatpak
- Affected: Ubuntu 20.04, CentOS 8, RHEL 8
Overview
KB5081276 is a critical security update released on March 10, 2026, for .NET 10.0 across all supported platforms. This update addresses three significant vulnerabilities that could allow remote code execution, denial of service attacks, and information disclosure in .NET applications.
Security Vulnerabilities Addressed
This update resolves the following Common Vulnerabilities and Exposures (CVE):
| CVE ID | Component | Severity | Impact |
|---|---|---|---|
CVE-2026-0847 | .NET Runtime | Critical | Remote Code Execution |
CVE-2026-0848 | ASP.NET Core | High | Denial of Service |
CVE-2026-0849 | Entity Framework Core | Medium | Information Disclosure |
CVE-2026-0847: .NET Runtime Vulnerability
A critical vulnerability in the .NET runtime's deserialization process allows attackers to execute arbitrary code by sending specially crafted serialized objects. This vulnerability affects applications that process untrusted serialized data, particularly those using BinaryFormatter or implementing custom serialization.
CVE-2026-0848: ASP.NET Core Denial of Service
A high-severity vulnerability in ASP.NET Core's request processing pipeline can be exploited to cause application unavailability. Attackers can send malformed HTTP requests that consume excessive server resources, leading to service disruption.
CVE-2026-0849: Entity Framework Information Disclosure
A medium-severity vulnerability in Entity Framework Core's error handling may expose sensitive information in exception messages. Database connection strings, query parameters, and schema details could be leaked through error responses.
Affected Systems and Compatibility
This update applies to all installations of .NET 10.0 across supported platforms:
Windows Platforms
- Windows 10 version 1903 and later (x64, x86, ARM64)
- Windows 11 all versions (x64, ARM64)
- Windows Server 2022 (x64, ARM64)
- Windows Server 2025 (x64, ARM64)
Linux Distributions
- Ubuntu 20.04, 22.04, 24.04 LTS
- Red Hat Enterprise Linux 8, 9
- CentOS Stream 8, 9
- SUSE Linux Enterprise Server 15
- Debian 11, 12
- Alpine Linux 3.17+
- Amazon Linux 2
macOS Versions
- macOS 12.0 (Monterey) and later
- macOS 13.0 (Ventura)
- macOS 14.0 (Sonoma)
- macOS 15.0 (Sequoia)
Installation and Deployment
Organizations can deploy KB5081276 through various channels depending on their infrastructure and requirements.
Automatic Updates
For individual developers and small organizations, the update is delivered automatically through:
- Windows Update: Integrated with the standard Windows update process
- Visual Studio Installer: Available through the Visual Studio update mechanism
- Package Managers: Automatic updates via platform-specific package managers
Enterprise Deployment
Large organizations can manage the deployment using enterprise tools:
- Windows Server Update Services (WSUS): Centralized update management for Windows environments
- System Center Configuration Manager (SCCM): Comprehensive deployment across mixed environments
- Microsoft Intune: Cloud-based management for modern workplace scenarios
Container Environments
For containerized applications, updated base images are available:
# Updated Dockerfile example
FROM mcr.microsoft.com/dotnet/runtime:10.0.3
COPY . /app
WORKDIR /app
ENTRYPOINT ["dotnet", "MyApp.dll"]Verification and Testing
After installing the update, verify the installation and test application functionality:
Version Verification
# Check .NET version
dotnet --version
# List installed runtimes
dotnet --list-runtimes
# Check specific component versions
dotnet --infoApplication Testing
Test critical application functionality, particularly:
- Serialization and deserialization operations
- ASP.NET Core web application endpoints
- Entity Framework database operations
- Performance-critical code paths
Security Recommendations
In addition to installing this update, Microsoft recommends:
- Avoid using
BinaryFormatterfor untrusted data - Implement proper input validation in web applications
- Use structured logging to avoid information leakage
- Regularly update container base images
- Monitor application performance after updates
Important: Applications using deprecated serialization methods should be updated to use secure alternatives like
System.Text.Json or MessagePack.Frequently Asked Questions
What does KB5081276 resolve?
KB5081276 resolves three security vulnerabilities in .NET 10.0: CVE-2026-0847 (remote code execution in runtime), CVE-2026-0848 (denial of service in ASP.NET Core), and CVE-2026-0849 (information disclosure in Entity Framework Core).
Which systems require KB5081276?
All systems running .NET 10.0 require this update, including Windows 10/11, Windows Server 2022/2025, supported Linux distributions, and macOS 12.0 or later. Both runtime and SDK installations are affected.
Is KB5081276 a security update?
Yes, KB5081276 is a critical security update that addresses multiple CVEs with severity ratings from medium to critical. It should be installed immediately on all .NET 10.0 systems.
What are the prerequisites for KB5081276?
Prerequisites include having .NET 10.0 Runtime or SDK installed, supported operating system versions, and sufficient disk space (85-120 MB). No restart is required for runtime updates, but SDK updates may require restart.
Are there known issues with KB5081276?
Known issues include potential compatibility problems with legacy serialization code, slight performance impact in deserialization-heavy applications, and possible container base image update requirements. Workarounds are available for all known issues.
References (3)
1
Mise à jour .NET 10.0 - 10 mars 2026Article de support officiel de Microsoft pour la mise à jour de sécurité .NET 10.0https://support.microsoft.com/en-us/topic/-net-10-0-update-march-10-2026-6222e0bf-e904-4cdc-ad36-9eba247e3746
2Mises à jour de sécurité .NETDocumentation Microsoft Learn pour les versions et mises à jour de sécurité .NEThttps://learn.microsoft.com/en-us/dotnet/core/releases/
3Centre de réponse de sécurité MicrosoftAvis de sécurité officiels de Microsoft et informations sur les vulnérabilitéshttps://msrc.microsoft.com/
About the Author
Discussion
Share your thoughts and insights
You must be logged in to comment.
Loading comments...
Related KB Articles
KB5081278
.NET Framework
KB Article
KB5081278 — Security Update for .NET 9.0
KB5081278 is a security update for .NET 9.0 that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS platforms.
Mar 1112 min
KB5081277
.NET Framework
KB Article
KB5081277 — Security Update for .NET 8.0 Runtime and ASP.NET Core
KB5081277 is a security update for .NET 8.0 runtime and ASP.NET Core that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, Linux, and macOS.
Mar 1112 min
KB5077862
.NET Framework
KB Article
KB5077862 — Security Update for .NET 10.0 Framework
KB5077862 is a security update for .NET 10.0 Framework that addresses multiple vulnerabilities including CVE-2026-0847 and CVE-2026-0848, affecting applications running on Windows, macOS, and Linux platforms.
Mar 1112 min
KB5077863
.NET Framework
KB Article
KB5077863 — Security Update for .NET 8.0 Runtime and SDK
KB5077863 is a February 2026 security update that addresses multiple vulnerabilities in .NET 8.0 runtime and SDK components, affecting applications running on Windows, Linux, and macOS platforms.
Mar 1112 min