.NET 10 Ships with Ubuntu 26.04 LTS — Here's What's New

Emiliano Montesdeoca — Sat, 25 Apr 2026 00:00:00 +0000

It’s Ubuntu LTS day. Ubuntu 26.04 (Resolute Raccoon) launched today, and as with every Ubuntu LTS, it ships with the latest .NET LTS — in this case, .NET 10.

If you deploy .NET apps on Linux, this is the release cycle you care about. LTS on LTS — five years of support for the OS, matching .NET 10’s own long-term support window.

Install .NET 10 in two commands

sudo apt update
sudo apt install dotnet-sdk-10.0

That’s it. .NET is one of the officially supported toolchains on Ubuntu — not a third-party add-on. Microsoft and Canonical work together to make sure it works on day one.

Try it immediately

Here’s the thing I love about this: you can pull an ubuntu:resolute container image and be running C# in under a minute.

docker run --rm -it ubuntu:resolute
apt update
apt install -y dotnet-sdk-10.0
dotnet run - << 'EOF'
using System.Runtime.InteropServices;
Console.WriteLine($"Hello {RuntimeInformation.OSDescription} from .NET {RuntimeInformation.FrameworkDescription}");
EOF

That dotnet run - with a heredoc is a file-based app pattern — no project file, no directory, just C# piped to stdin. Honest, if you haven’t tried file-based apps yet, it’s worth a look.

Containers: update `-noble` to `-resolute`

The new container images use the resolute tag. Migration is a one-liner:

sed -i "s/noble/resolute/g" Dockerfile

All existing image flavors — including Chiseled — are available. The Chiseled images are still my go-to for production: minimal attack surface, no shell, no package manager, just the runtime. Update the tag and rebuild.

Native AOT: 3ms startup, 1.4MB binary

Ubuntu 26.04 ships a dedicated AOT package:

apt install -y dotnet-sdk-aot-10.0 clang

Here’s what you get when you publish a simple app:

dotnet publish app.cs
# artifacts/app/app — 1.4MB native binary

Startup time:

real 0m0.003s

3 milliseconds. For a full ASP.NET Core web service, the self-contained binary is around 13MB. That’s a completely self-contained deployable with no runtime dependency whatsoever.

For cloud-native workloads where cold-start time matters — Functions, containers, serverless — this is a legitimate game changer.

What changed in Ubuntu 26.04 that affects .NET

Three things worth knowing:

Linux 7.0 — The .NET team will start Linux 7.0 testing once they get 26.04 VMs in the lab. No breaking changes expected, but they’ll verify.
Post-quantum cryptography — Ubuntu 26.04 introduces PQC support, and .NET 10 added post-quantum cryptography APIs as well. Good alignment.
cgroup v1 removed — Ubuntu 26.04 drops cgroup v1. .NET added cgroup v2 support years ago, so this is a non-event. But if you’re on an older runtime, double-check.

Need .NET 8 or 9?

Those are available via the dotnet-backports PPA:

apt install -y software-properties-common
add-apt-repository ppa:dotnet/backports
apt install -y dotnet-sdk-8.0 # or dotnet-sdk-9.0

Support is “best-effort” — not the same guarantee as the LTS package in the main archive — but the packages are there and they work.

Wrapping up

Every two years, the Ubuntu LTS + .NET LTS alignment gives you a solid, long-support foundation for production workloads. Ubuntu 26.04 with .NET 10 is that foundation for the next cycle.

If you’re containerizing .NET apps, update your Dockerfiles. If you’re deploying on bare metal or VMs, apt install dotnet-sdk-10.0 and you’re done.

Read the full post from Richard Lander for the complete installation walkthrough and container details.

Patch This Now: .NET 10.0.7 OOB Security Update for ASP.NET Core Data Protection

Emiliano Montesdeoca — Wed, 22 Apr 2026 00:00:00 +0000

This one is not optional. If your application uses Microsoft.AspNetCore.DataProtection, you need to update to 10.0.7.

What Happened

After the Patch Tuesday .NET 10.0.6 release, some users started reporting that decryption was failing in their applications. The issue was filed as aspnetcore#66335.

While investigating that regression, the team discovered it also exposed a security vulnerability: CVE-2026-40372.

In versions 10.0.0 through 10.0.6 of Microsoft.AspNetCore.DataProtection, the managed authenticated encryptor had a bug where it computed its HMAC validation tag over the wrong bytes of the payload and then discarded the computed hash. This could result in elevation of privilege.

In plain terms: the integrity check wasn’t doing what it was supposed to do. Data Protection uses authenticated encryption to prevent tampering — the HMAC is the “has this been modified?” check. If the HMAC is computed over the wrong data, you lose that guarantee.

Who Is Affected

Any .NET 10 application using Microsoft.AspNetCore.DataProtection — versions 10.0.0 through 10.0.6. The good news is this package is specific to .NET 10. If you’re still on .NET 8 or 9, you’re not affected by this specific CVE.

Common use cases for Data Protection: cookie encryption, antiforgery tokens, temp data in MVC, and any other use of IDataProtector in your application.

How to Fix It

Update the Microsoft.AspNetCore.DataProtection NuGet package to 10.0.7:

dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7

Or update your SDK/runtime: download .NET 10.0.7.

Verify you’re on the right version:

dotnet --info

Then rebuild and redeploy your application. The fix doesn’t take effect until you’re running the updated package.

The Bigger Picture

Out-of-band security releases are uncommon — they happen when a vulnerability is serious enough that it can’t wait for the next scheduled Patch Tuesday. This one is a direct consequence of a regression in 10.0.6 creating a security gap. The fact that it was discovered through bug reports is a good sign that the process worked. The fix is fast and the scope is narrow.

If you’re running .NET 10 in production with any web application framework, this is a same-day update situation.

Original announcement by Rahul Bhandari: .NET 10.0.7 Out-of-Band Security Update.

.NET 10 | The .NET Blog