https://thedotnetblog.com/tags/servicing/Articles, tutorials and insights from the .NET community.Hugoen@thedotnetblog (The .NET Blog)@thedotnetblogWed, 15 Apr 2026 00:00:00 +0000https://thedotnetblog.com/news/emiliano-montesdeoca/dotnet-april-2026-servicing-security-patches/Wed, 15 Apr 2026 00:00:00 +0000Emiliano Montesdeocahttps://thedotnetblog.com/news/emiliano-montesdeoca/dotnet-april-2026-servicing-security-patches/The April 2026 servicing release patches 6 CVEs across .NET 10, .NET 9, .NET 8, and .NET Framework — including two remote code execution vulnerabilities.<p>The <a href="https://devblogs.microsoft.com/dotnet/dotnet-and-dotnet-framework-april-2026-servicing-updates/">April 2026 servicing updates</a> for .NET and .NET Framework are out, and this one includes security fixes you&rsquo;ll want to apply soon. Six CVEs patched, including two remote code execution (RCE) vulnerabilities.</p> <h2 id="whats-patched">What&rsquo;s patched</h2> <p>Here&rsquo;s the quick summary:</p> <table> <thead> <tr> <th>CVE</th> <th>Type</th> <th>Affects</th> </tr> </thead> <tbody> <tr> <td>CVE-2026-26171</td> <td>Security Feature Bypass</td> <td>.NET 10, 9, 8 + .NET Framework</td> </tr> <tr> <td>CVE-2026-32178</td> <td><strong>Remote Code Execution</strong></td> <td>.NET 10, 9, 8 + .NET Framework</td> </tr> <tr> <td>CVE-2026-33116</td> <td><strong>Remote Code Execution</strong></td> <td>.NET 10, 9, 8</td> </tr> <tr> <td>CVE-2026-32203</td> <td>Denial of Service</td> <td>.NET 10, 9, 8 + .NET Framework</td> </tr> <tr> <td>CVE-2026-23666</td> <td>Denial of Service</td> <td>.NET Framework 3.0–4.8.1</td> </tr> <tr> <td>CVE-2026-32226</td> <td>Denial of Service</td> <td>.NET Framework 2.0–4.8.1</td> </tr> </tbody> </table> <p>The two RCE CVEs (CVE-2026-32178 and CVE-2026-33116) affect the broadest range of .NET versions and should be the priority.</p> <h2 id="updated-versions">Updated versions</h2> <ul> <li><strong>.NET 10</strong>: 10.0.6</li> <li><strong>.NET 9</strong>: 9.0.15</li> <li><strong>.NET 8</strong>: 8.0.26</li> </ul> <p>All are available via the usual channels — <a href="https://dotnet.microsoft.com/download/dotnet/10.0">dotnet.microsoft.com</a>, container images on MCR, and Linux package managers.</p> <h2 id="what-to-do">What to do</h2> <p>Update your projects and CI/CD pipelines to the latest patch versions. If you&rsquo;re running containers, pull the latest images. If you&rsquo;re on .NET Framework, check the <a href="https://learn.microsoft.com/dotnet/framework/release-notes/release-notes">.NET Framework release notes</a> for the corresponding patches.</p> <p>For those running .NET 10 in production (it&rsquo;s the current release), 10.0.6 is a mandatory update. Same for .NET 9.0.15 and .NET 8.0.26 if you&rsquo;re on those LTS tracks. Two RCE vulnerabilities are not something you postpone.</p>