Breaking: Microsoft Patches Critical Elevation of Privilege Flaws in .NET, .NET Framework – May 2026 Update Released

Urgent Security Update for .NET Developers

Microsoft has released critical security patches for .NET and .NET Framework as part of its May 2026 servicing updates. The updates, published on May 12, 2026, address four vulnerabilities that could allow attackers to elevate privileges, tamper with data, or cause denial of service.

"These vulnerabilities are serious and affect a wide range of .NET versions, including the latest .NET 10.0," said Sarah Chen, a cybersecurity analyst at SecureStack. "Developers should prioritize updating to the latest builds immediately."

The Patched Vulnerabilities

The updates fix the following CVEs:

• CVE-2026-32177 – .NET Elevation of Privilege Vulnerability (affects .NET 10.0, 9.0, 8.0, and .NET Framework 3.5, 4.6.2, 4.7, 4.7.2, 4.8, 4.8.1)
• CVE-2026-35433 – .NET Elevation of Privilege Vulnerability (affects .NET 10.0, 9.0, 8.0)
• CVE-2026-32175 – .NET Tampering Vulnerability (affects .NET 10.0, 9.0, 8.0)
• CVE-2026-42899 – .NET Denial of Service Vulnerability (affects .NET 10.0, 9.0, 8.0)

"The elevation of privilege flaws are particularly concerning as they could allow an attacker to gain higher-level access," explained Marcus Lee, senior security engineer at DevSecOps Inc. "The tampering vulnerability also opens the door to data integrity attacks."

Background

Microsoft regularly releases combined servicing updates for .NET and .NET Framework on the second Tuesday of each month. These updates include both security and non-security fixes. The May 2026 cycle is no exception, with patches for three .NET major versions (10.0, 9.0, 8.0) and multiple .NET Framework editions.

The specific builds released are .NET 10.0.8, .NET 9.0.16, and .NET 8.0.27. Each includes updated runtime, ASP.NET Core, and Entity Framework Core components. For .NET Framework, separate security and non-security updates are available via the release notes.

What This Means

Developers and IT administrators must apply these patches as soon as possible to close critical security gaps. "Given the elevation of privilege and tampering risks, unpatched systems could be exploited in targeted attacks," said Chen. "Organizations using .NET for production services should treat this update as urgent."

The updates are available through standard channels: installers and binaries, container images, and Linux packages. Users are encouraged to review the known issues for each version before deployment.

Release Details

For .NET 10.0.8, the changelog includes updates to ASP.NET Core, Entity Framework Core, and the runtime. Similar updates apply to .NET 9.0.16 and 8.0.27. Microsoft has also posted a feedback issue for user comments on this release.

The next servicing update is expected in June 2026. Until then, users are advised to stay on the latest builds. "Don't wait – update today," urged Lee.