.NET 8.0.21 release carries the security fixes and non-security fixes.$$$$$$CVE-2025-55248 | .NET Information Disclosure Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A MITM (man in the middle) attacker may prevent use of TLS between client and SMTP server; forcing client to send data over unencrypted connection.$$$$$$CVE-2025-55315 | .NET Security Feature Bypass Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 8.0. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$Inconsistent interpretation of http requests (http request/response smuggling) in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.$$$$$$CVE-2025-55247 | .NET Denial of Service Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0.xxx. This advisory also provides guidance on what developers can do to update their environments to remove this vulnerability.$$$$$$A vulnerability exists in .NET where predictable paths for MSBuilds temporary directories on Linux let another user create the directories ahead of MSBuild; leading to DoS of builds. This only affects .NET on Linux operating systems.

Notable Changes$$$.NET April 2025 Blog$$$$$$.NET 8.0.15 release carries security fixes and non-security fixes.$$$$$$Microsoft Security Advisory CVE-2025-26682 | .NET Denial of Service Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 9.0 and ASP.NET Core 8.0. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$A vulnerability exists in ASP.NET Core where using HTTP/3 improperly may result in a Denial of Service by allocation of resources without limits or throttling.$$$$$$Visual Studio Compatibility$$$You need Visual Studio 17.8 or later to use .NET 8.0 on Windows. While not officially supported; we’ve also enabled rudimentary support for .NET 8 in Visual Studio for Mac. Users have to enable a preview feature in Preferences to enable the IDE to discover and use the .NET 8 SDK for creating; loading; building; and debugging projects. The C# extension for Visual Studio Code supports .NET 8.0 and C# 12.

Notable Changes$$$.NET March 2025 Blog$$$$$$.NET 8.0.14 release carries the security fixes and non-security fixes.$$$$$$Microsoft Security Advisory CVE-2025-24070 | .NET Elevation of Privilege Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 9.0 ; ASP.NET Core 8.0; and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$A vulnerability exists in ASP.NET Core applications calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another users account; resulting in Elevation of Privilege.$$$$$$Visual Studio Compatibility$$$You need Visual Studio 17.12 or later to use .NET 8.0 on Windows. While not officially supported; we’ve also enabled rudimentary support for .NET 8 in Visual Studio for Mac. Users have to enable a preview feature in Preferences to enable the IDE to discover and use the .NET 8 SDK for creating; loading; building; and debugging projects. The C# extension for Visual Studio Code supports .NET 8.0 and C# 12.

Notable Changes$$$.NET January 2025 Blog$$$$$$.NET 8.0.12 release carries the security fixes and non-security fixes.$$$$$$Microsoft Security Advisory CVE-2025-21172 | .NET and Visual Studio Remote Code Execution Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.$$$$$$Microsoft Security Advisory CVE-2025-21173 | .NET Elevation of Privilege Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$An attacker could exploit this vulnerability to writing a specially crafted file in the security context of the local system. This only affects .NET on Linux operating systems.$$$$$$Microsoft Security Advisory CVE-2025-21176 | .NET and Visual Studio Remote Code Execution Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.$$$$$$Visual Studio Compatibility$$$You need Visual Studio 17.12 or later to use .NET 8.0 on Windows. While not officially supported; we’ve also enabled rudimentary support for .NET 8 in Visual Studio for Mac. Users have to enable a preview feature in Preferences to enable the IDE to discover and use the .NET 8 SDK for creating; loading; building; and debugging projects. The C# extension for Visual Studio Code supports .NET 8.0 and C# 12.

Notable Changes$$$This update contains non-security changes$$$$$$Visual Studio Compatibility$$$You need Visual Studio 17.11 or later to use .NET 8.0 on Windows. While not officially supported; we’ve also enabled rudimentary support for .NET 8 in Visual Studio for Mac. Users have to enable a preview feature in Preferences to enable the IDE to discover and use the .NET 8 SDK for creating; loading; building; and debugging projects. The C# extension for Visual Studio Code supports .NET 8.0 and C# 12.$$$$$$Feedback$$$Your feedback is important and appreciated. Weve created an issue at dotnet/core #9599 for your questions and comments.

.NET 8.0 Blog$$$$$$.NET 8.0.10 release carries the security fixes and non-security fixes.$$$$$$Microsoft Security Advisory CVE-2024-38229 | .NET Remote Code Execution Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A vulnerability exists in ASP.NET when closing an HTTP/3 stream while application code is writing to the response body; a race condition may lead to use-after-free.$$$$$$Note: HTTP/3 is experimental in .NET 6.0. If you are on .NET 6.0 and using HTTP/3; please upgrade to .NET 8.0.10. .NET 6.0 will not receive a security patch for this vulnerability.

.NET 8.0.8 - August 13; 2024$$$The .NET 8.0.8 and .NET SDK 8.0.400 releases are available for download. The latest 8.0 release is always listed at .NET 8.0 Releases.$$$$$$Downloads$$$SDK Installer1tSDK Binaries1tRuntime InstallertRuntime BinariestASP.NET Core RuntimetWindows Desktop Runtime$$$Windowstx86 | x64 | Arm64tx86 | x64 | Arm64tx86 | x64 | Arm64tx86 | x64 | Arm64tx86 | x64 |$$$Hosting Bundle2tx86 | x64 | Arm64$$$macOStx64 | ARM64tx64 | ARM64tx64 | ARM64tx64 | ARM64tx64 | ARM64t-$$$LinuxtSnap and Package Managertx64 | Arm | Arm64 | Arm32 Alpine | x64 AlpinetPackages (x64)tx64 | Arm | Arm64 | Arm32 Alpine | Arm64 Alpine | x64 Alpinetx641 | Arm1 | Arm641 | x64 Alpinet-$$$ChecksumstChecksumstChecksumstChecksumstChecksumstChecksums$$$Includes the .NET Runtime and ASP.NET Core Runtime$$$For hosting stand-alone apps on Windows Servers. Includes the ASP.NET Core Module for IIS and can be installed separately on servers without installing .NET Runtime.$$$The .NET SDK includes a matching updated .NET Runtime. Downloading the Runtime or ASP.NET Core packages is not needed when installing the SDK.$$$$$$You can check your .NET SDK version by running the following command. The example version shown is for this release.$$$$$$$ dotnet --version$$$8.0.400$$$Docker Images$$$The .NET Docker images have been updated for this release. The .NET Docker samples show various ways to use .NET and Docker together. You can use the following command to try running the latest .NET 8.0 release in containers:$$$$$$docker run --rm mcr.microsoft.com/dotnet/samples$$$The following repos have been updated.$$$$$$dotnet/sdk: .NET SDK$$$dotnet/aspnet: ASP.NET Core Runtime$$$dotnet/runtime: .NET Runtime$$$dotnet/runtime-deps: .NET Runtime Dependencies$$$dotnet/monitor: .NET Monitor$$$dotnet/monitor/base: .NET Monitor Base$$$dotnet/aspire-dashboard: .NET Aspire Dashboard$$$dotnet/samples: .NET Samples$$$Notable Changes$$$.NET 8.0 Blog$$$$$$.NET 8.0.8 release carries the security fixes and non-security fixes.$$$$$$CVE-2024-38168 | .NET Denial of Service Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A vulnerability exists in .NET when an attacker through unauthenticated requests may trigger a Denial of Service in ASP.NET HTTP.sys web server. This is a windows OS only vulnerability.$$$$$$CVE-2024-38167 | .NET Information Disclosure Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A vulnerability exists in .NET runtime TlsStream which may result in Information Disclosure.$$$$$$Visual Studio Compatibility$$$You need Visual Studio 17.11 or later to use .NET 8.0 on Windows. While not officially supported; we’ve also enabled rudimentary support for .NET 8 in Visual Studio for Mac. Users have to enable a preview feature in Preferences to enable the IDE to discover and use the .NET 8 SDK for creating; loading; building; and debugging projects. The C# extension for Visual Studio Code supports .NET 8.0 and C# 12.

Notable Changes$$$.NET 8.0 Blog$$$$$$.NET 8.0.7 release carries the security fixes and non-security fixes.$$$$$$CVE-2024-38095 | .NET Denial of Service Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A Vulnerability exists when System.Formats.Asn1 in .NET parses an X.509 certificate or collection of certificates; a malicious certificate can result in excessive CPU consumption on all platforms result in Denial of Service.$$$$$$CVE-2024-35264 | .NET Remote Code Execution Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A Vulnerability exists in ASP.NET Core 8 where Data Corruption in Kestrel HTTP/3 can result in remote code execution.$$$$$$Note: HTTP/3 is experimental in .NET 6.0. If you are on .NET 6.0 and using HTTP/3; please upgrade to .NET 8.0.7$$$$$$CVE-2024-30105 | .NET Denial of Service Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A vulnerability exists in .NET when calling the JsonSerializer.DeserializeAsyncEnumerable method against an untrusted input using System.Text.Json may result in Denial of Service.

Notable Changes$$$.NET 8.0 Blog$$$$$$.NET 8.0.6 release carries the security fixes and non-security fixes.$$$$$$WiX toolset signed with incorrect certificate$$$The .NET 8.0.5 release on May 14; 2024 included updates to the WiX toolset which were incorrectly signed. This cased failures in scenarios on Windows where Code Integrity checks were enabled.$$$$$$CVE-2024-20672 | .NET Denial of Service Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0; .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A vulnerability exists in .NET when processing X.509 certificates that may result in Denial of Service. This vulnerabilty only affects macOS.

Notable Changes$$$.NET 8.0 Blog$$$$$$.NET 8.0.5 release carries security and non-security fixes.$$$$$$CVE-2024-30045 | .NET Remote Code Execution Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A Remote Code Execution vulnerability exists in .NET 7.0 and .NET 8.0 where a stack buffer overrun occurs in .NET Double Parse routine.$$$$$$CVE-2024-30046 | .NET Denial of Service Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A Vulnerability exist in Microsoft.AspNetCore.Server.Kestrel.Core.dll where a dead-lock can occur resulting in Denial of Service.

Notable Changes$$$.NET 8.0 Blog$$$$$$.NET 8.0.4 release carries security and non-security fixes.$$$$$$CVE-2024-21409 | .NET Elevation of Privilege Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0; .NET 7.0 ;and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A use-after-free vulnerability exists in WPF which may result in Elevation of Privilege when viewing untrusted documents.

Notable Changes$$$.NET 8.0 Blog$$$$$$.NET 8.0.3 release carries security and non-security fixes.$$$$$$CVE-2024-21392 | .NET Denial of Service Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 8.0 . This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$A vulnerability exists in .NET where specially crafted requests may cause a resource leak; leading to a Denial of Service$$$$$$CVE-2024-26190 | Microsoft QUIC Denial of Service Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A Vulnerability exist in MsQuic.dll which might result in a peer to allocate small chunks of memory as long as connection stays alive.

Notable Changes$$$.NET 8.0 Blog$$$$$$.NET 8.0.1 release carries security and non-security fixes.$$$$$$CVE-2024-0056 - Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider Information Disclosure Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NETs System.Data.SqlClient and Microsoft.Data.SqlClient NuGet Packages. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$A vulnerability exists in the Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider where an attackercan perform an AiTM (adversary-in-the-middle) attack between the SQL client and the SQL server. This may allow the attacker to steal authentication credentials intended for the database server; even if the connection is established over an encrypted channel like TLS.$$$$$$CVE-2024-0057- .NET Security Feature bypass Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0; .NET 7.0 and .NET 8.0 . This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$A security feature bypass vulnerability exists when Microsoft .NET Framework-based applications use X.509 chain building APIs but do not completely validate the X.509 certificate due to a logic flaw. An attacker could present an arbitrary untrusted certificate with malformed signatures; triggering a bug in the framework. The framework will correctly report that X.509 chain building failed; but it will return an incorrect reason code for the failure. Applications which utilize this reason code to make their own chain building trust decisions may inadvertently treat this scenario as a successful chain build. This could allow an adversary to subvert the apps typical authentication logic.$$$$$$CVE-2024-21319 - .NET Denial of Service Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in the ASP.NET Core project templates. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$A Denial of Service vulnerability exists in ASP.NET Core project templates which utilize JWT-based authentication tokens. This vulnerability allows an unauthenticated client to consume arbitrarily large amounts of server memory; potentially triggering an out-of-memory condition on the server and making the server no longer able to respond to legitimate requests.$$$$$$Visual Studio Compatibility$$$You need Visual Studio 17.8 or later to use .NET 8.0 on Windows. While not officially supported; we’ve also enabled rudimentary support for .NET 8 in Visual Studio for Mac. Users have to enable a preview feature in Preferences to enable the IDE to discover and use the .NET 8 SDK for creating; loading; building; and debugging projects. The C# extension for Visual Studio Code supports .NET 8.0 and C# 11.

Notable Changes$$$.NET 8.0 Blog$$$$$$.NET 8.0.0 release carries security and non-security fixes.$$$$$$CVE-2023-36038 - .NET Denial of Service Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 8.0 RC2. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$A vulnerability exists in ASP.NET IIS where a remote unauthenticated user can issue specially crafted requests to a .NET application which may result in denial of service. This vulnerability only impacts Windows OS.$$$$$$CVE-2023-36049 - .NET Elevation of Privilege Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0; .NET 7.0 and .NET 8.0 RC2. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$An elevation of privilege vulnerability exists in .NET where untrusted URIs provided to System.Net.WebRequest.Create can be used to inject arbitrary commands to backend FTP servers.$$$$$$CVE-2023-36558 - .NET Security Feature Bypass Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 6.0; ASP.NET Core 7.0 and; ASP.NET Core 8.0 RC2. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$A security feature bypass vulnerability exists in ASP.NET where an unauthenticated user is able to bypass validation on Blazor server forms which could trigger unintended actions.