Notable Changes$$$.NET 9.0 October 2025 Blog$$$$$$.NET 9.0.10 release carries the security fixes and non-security fixes.$$$$$$CVE-2025-55248 | .NET Information Disclosure Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A MITM (man in the middle) attacker may prevent use of TLS between client and SMTP server; forcing client to send data over unencrypted connection.$$$$$$CVE-2025-55315 | .NET Security Feature Bypass Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 9.0. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$Inconsistent interpretation of http requests (http request/response smuggling) in ASP.NET Core allows an authorized attacker to bypass a security feature over a network.$$$$$$CVE-2025-55247 | .NET Denial of Service Vulnerability$$$$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0.xxx. This advisory also provides guidance on what developers can do to update their environments to remove this vulnerability.$$$$$$A vulnerability exists in .NET where predictable paths for MSBuilds temporary directories on Linux let another user create the directories ahead of MSBuild; leading to DoS of builds. This only affects .NET on Linux operating systems.

Notable Changes$$$.NET 9.0 Blog$$$$$$.NET 9.0.4 release carries security fixes and non-security fixes.$$$$$$Microsoft Security Advisory CVE-2025-26682 | .NET Denial of Service Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 9.0 and ASP.NET Core 8.0. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$A vulnerability exists in ASP.NET Core where using HTTP/3 improperly may result in a Denial of Service by allocation of resources without limits or throttling.$$$$$$Visual Studio Compatibility$$$You need Visual Studio 17.12 or later to use .NET 9.0 on Windows. While not officially supported; we’ve also enabled rudimentary support for .NET 9 in Visual Studio for Mac. Users have to enable a preview feature in Preferences to enable the IDE to discover and use the .NET 9 SDK for creating; loading; building; and debugging projects. The C# extension for Visual Studio Code supports .NET 9.0 and C# 12.

Notable Changes$$$.NET 9.0 Blog$$$$$$.NET 9.0.3 release carries the security fixes and non-security fixes.$$$$$$Microsoft Security Advisory CVE-2025-24070 | .NET Elevation of Privilege Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core 9.0 ; ASP.NET Core 8.0; and ASP.NET Core 2.3. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.$$$$$$A vulnerability exists in ASP.NET Core applications calling RefreshSignInAsync with an improperly authenticated user parameter that could allow an attacker to sign into another users account; resulting in Elevation of Privilege.$$$$$$Visual Studio Compatibility$$$You need Visual Studio 17.12 or later to use .NET 9.0 on Windows. While not officially supported; we’ve also enabled rudimentary support for .NET 9 in Visual Studio for Mac. Users have to enable a preview feature in Preferences to enable the IDE to discover and use the .NET 9 SDK for creating; loading; building; and debugging projects. The C# extension for Visual Studio Code supports .NET 9.0 and C# 12.

Notable Changes$$$.NET January 2025 Blog$$$$$$.NET 9.0.1 release carries the security fixes and non-security fixes.$$$$$$Microsoft Security Advisory CVE-2025-21171 | .NET Remote Code Execution Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$An attacker could exploit this vulnerability by loading a specially crafted file into a vulnerable application.$$$$$$Microsoft Security Advisory CVE-2025-21172 | .NET and Visual Studio Remote Code Execution Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.$$$$$$Microsoft Security Advisory CVE-2025-21173 | .NET Elevation of Privilege Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$An attacker could exploit this vulnerability to writing a specially crafted file in the security context of the local system. This only affects .NET on Linux operating systems.$$$$$$Microsoft Security Advisory CVE-2025-21176 | .NET and Visual Studio Remote Code Execution Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 and .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$An attacker could exploit this vulnerability by loading a specially crafted file in Visual Studio.$$$$$$Visual Studio Compatibility$$$You need Visual Studio 17.12 or later to use .NET 9.0 on Windows. While not officially supported; we’ve also enabled rudimentary support for .NET 9 in Visual Studio for Mac. Users have to enable a preview feature in Preferences to enable the IDE to discover and use the .NET 9 SDK for creating; loading; building; and debugging projects. The C# extension for Visual Studio Code supports .NET 9.0 and C# 12.

Notable Changes$$$.NET 9.0 Blog$$$$$$.NET 9.0.0 release carries the security fixes and non-security fixes.$$$$$$Microsoft Security Advisory CVE-2024-43498 | .NET Remote Code Execution Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$A remote unauthenticated attacker could exploit this vulnerability by sending specially crafted requests to a .NET vulnerable webapp or loading a specially crafted file into a vulnerable application.$$$$$$Microsoft Security Advisory CVE-2024-43499 | .NET Denial of Service Vulnerability$$$Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 9.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.$$$$$$The NrbfDecoder component in .NET 9 contains a denial of service vulnerability due to incorrect input validation.