CVE-2026-50649: Update .NET 8.0.29 to Fix Code Execution

Microsoft has patched CVE-2026-50649, a high-severity .NET vulnerability that can allow an attacker to execute code after a victim processes maliciously constructed data. The flaw was disclosed on July 14, 2026, with fixes delivered through .NET 8.0.29, .NET 9.0.18, .NET 10.0.10, updated Visual Studio builds, and July’s .NET Framework cumulative updates.
Detailed in Microsoft’s Security Update Guide and July .NET servicing announcement, CVE-2026-50649 carries a CVSS 3.1 base score of 7.8 and an “Important” rating from Microsoft. It is not listed as publicly disclosed or exploited in the wild, but administrators should not let the remote code execution label obscure the practical risk to developer workstations and applications that deserialize untrusted content.

Cybersecurity-themed illustration showing a developer protecting .NET code from malware with layered defenses.The Attack Starts Locally, Not Across the Network​

Microsoft describes CVE-2026-50649 as deserialization of untrusted data, classified under CWE-502. An unauthorized attacker could use the flaw to execute code locally, potentially gaining the confidentiality, integrity, and availability impact associated with arbitrary code running in the affected process.
The CVSS vector is important because it puts boundaries around the headline. CVE-2026-50649 has a local attack vector, low attack complexity, requires no existing privileges, and requires user interaction. In other words, Microsoft is not describing an unauthenticated attacker directly sending one packet to any internet-facing .NET service and immediately taking control.
A likely attack path instead involves persuading a user or process to open, import, build, inspect, or otherwise handle attacker-controlled serialized data. Microsoft has not published enough technical detail to identify the exact file format, component, or application workflow that reaches the vulnerable code, so defenders should avoid assuming that only one narrow development scenario is exposed.
That distinction also explains why a vulnerability titled “Remote Code Execution” can have a local CVSS attack vector. Remote code execution describes the eventual security impact: attacker-chosen code runs on the victim’s system. The vector describes how the attacker reaches the vulnerable component.
The result remains serious on developer machines. Visual Studio commonly operates against source trees, packages, generated artifacts, build scripts, test data, and project metadata obtained from outside the local trust boundary. A malicious repository, attachment, package, or build input can therefore turn required user interaction into a realistic delivery mechanism even when the vulnerable component is not directly exposed to the network.

Microsoft’s Product Lists Need Careful Reading​

The published CVE record identifies the following affected version ranges and fixed releases:
  • .NET 8.0 releases before 8.0.29 are affected.
  • .NET 9.0 releases before 9.0.18 are affected.
  • Visual Studio 2022 17.12 releases before 17.12.22 are affected.
  • Visual Studio 2022 17.14 releases before 17.14.36 are affected.
  • Visual Studio 2026 18.7 releases before 18.7.4 are affected.
Microsoft’s separate .NET servicing post also says CVE-2026-50649 applies to .NET 10.0 and points customers to .NET 10.0.10 as July’s serviced release. Organizations running .NET 10 should consequently deploy 10.0.10 rather than treating its omission from some replicated CVE product tables as evidence that the current LTS branch is unaffected.
July’s .NET Framework cumulative update documentation also names CVE-2026-50649 among the security issues addressed for .NET Framework 3.5, 4.8, and 4.8.1 on supported Windows releases. For example, KB5102203 covers those Framework versions on Windows 10 22H2 and is available through Windows Update, Windows Update for Business, the Microsoft Update Catalog, and WSUS.
This documentation is broader than the five-product list in the initial CVE record. Until Microsoft aligns every advisory and product table, the safer operational interpretation is to install the applicable July 14 servicing update across supported .NET, Visual Studio, and .NET Framework deployments rather than attempting to carve out exceptions based on one page.
Microsoft says it is not currently aware of known issues with the Windows 10 22H2 .NET Framework cumulative update. That does not eliminate the need for application testing, particularly where organizations depend on older Framework applications with strict compatibility requirements, but it removes an obvious reason to defer deployment indefinitely.

Runtime Updates Do Not Automatically Fix Every Deployment​

For Windows administrators, the central question is not simply whether Windows Update ran. Modern .NET can be installed and serviced independently of the operating system, and applications may carry their own copy of the runtime through a self-contained deployment.
A framework-dependent application uses a compatible shared runtime installed on the host. Updating that runtime can protect applications that resolve to the serviced version, subject to their runtime selection and roll-forward configuration.
A self-contained application is different. Its published directory includes the .NET runtime selected when the application was built. Installing .NET 8.0.29 globally does not necessarily replace the vulnerable runtime files bundled with an application that was published using an earlier .NET 8 release.
Development teams should therefore inventory both shared installations and application artifacts. Useful checks include dotnet --list-runtimes, dotnet --list-sdks, software inventory records, container manifests, build-pipeline definitions, and published application directories containing runtime files.
Applications built into container images also need to be rebuilt from updated base images. Pulling a patched Microsoft container image into a registry does not alter an already deployed image, running container, or cached build layer. Teams should rebuild, redeploy, and verify the runtime version inside the resulting container rather than relying only on the tag name in a Dockerfile.
The same principle applies to CI workers and ephemeral build agents. An outdated Visual Studio installation or .NET SDK on a build server may continue processing untrusted source and dependency content even after employee workstations have been patched.

Deserialization Turns Data Into a Trust Decision​

Deserialization reconstructs objects from stored or transmitted data. It becomes dangerous when software accepts attacker-influenced input and permits that input to select unexpected types, object graphs, callbacks, or other behavior with security consequences.
CVE-2026-50649’s CWE-502 classification indicates that the vulnerable path does not adequately contain that trust boundary. Microsoft has not released exploit mechanics, proof-of-concept code, or a component-level root-cause analysis, so it is not yet possible to provide a reliable hunting signature based on a particular extension, class, or API call.
That absence of public exploit detail reduces immediate attacker knowledge but does not make the vulnerability theoretical. Microsoft is the assigning authority, has confirmed the issue, supplied a complete CVSS vector, and released corrected builds. The advisory’s temporal metrics also indicate that an official fix is available and that Microsoft considers the vulnerability technically confirmed.
The required user interaction may offer some protection in tightly controlled server environments, but developer endpoints are harder to dismiss. Opening unfamiliar solutions, cloning repositories, evaluating proof-of-concept projects, and reviewing supplied sample files are ordinary parts of software development and security research.
Endpoint controls should continue to treat source code and project files from untrusted origins as potentially active content. Running unfamiliar projects in an isolated VM or disposable development environment remains sensible, especially while Microsoft’s public advisory does not identify the exact interaction needed to trigger CVE-2026-50649.

Patch the Toolchain and the Software It Produces​

The immediate response is to move supported installations to .NET 8.0.29, .NET 9.0.18, or .NET 10.0.10, and update Visual Studio 2022 and Visual Studio 2026 to the fixed builds. Windows estates using .NET Framework should approve the applicable July 14, 2026 cumulative updates through their normal Windows servicing channel.
Administrators should then search for unsupported .NET branches, pinned container digests, self-contained deployments, offline build systems, and Visual Studio instances excluded from centralized update policies. Those are the places where a successful Patch Tuesday rollout can still leave vulnerable code in production.
CVE-2026-50649 is not currently presented as a network worm or an exploited zero-day. Its practical danger lies elsewhere: trusted developer tools and applications may convert hostile serialized data into code execution, and updating only the Windows operating system may not reach every copy of the affected runtime.

References​

  1. Primary source: MSRC
    Published: 2026-07-14T07:00:00-07:00
 

Back
Top