On July 14, 2026, Microsoft dropped a security advisory for CVE-2026-47303, an elevation-of-privilege flaw in ASP.NET Core. But don’t expect Windows Update to handle this one. If you’re running ASP.NET Core apps in containers, as self-contained deployments, or on Linux hosts, you’ve got manual work to do.
The Advisory: What We Know and What We Don’t
Microsoft confirmed the vulnerability in its Security Update Guide at 7:00 a.m. Pacific time, but the initial public record reads more like a placeholder than a complete diagnosis. The entry identifies ASP.NET Core as the affected product and classifies the impact as “elevation of privilege,” meaning a successful exploit could let an attacker gain higher permissions than intended. What’s missing is the technical meat: no root cause analysis, no attack vector description, and no in-the-wild evidence. Microsoft has only stated that the bug’s existence is “confirmed” — that’s the highest confidence level in its exploitability index, but it’s not the same as a sky-high CVSS score. In other words, the company is certain the flaw is real, but it’s not yet telling us how easy it is to trigger or how much damage it can cause.
This sparse detail puts defenders in a tough spot. Without knowing whether the vulnerability requires authentication, a specific hosting configuration, or local access, you can’t accurately triage risk. Yet the advisory’s existence means the clock is ticking: patch now, or risk attackers reverse-engineering the fix once it ships. As of this writing, there are no public exploit kits or signs of active attacks, but that can change overnight.
Why This Patch Is Different from Normal Tuesday Updates
If you treat CVE-2026-47303 like a standard Windows security bulletin and just approve the latest cumulative update, you’ll likely leave your ASP.NET Core applications vulnerable. Here’s why: ASP.NET Core doesn’t live inside the Windows OS layer like Internet Information Services (IIS) or the .NET Framework. Instead, it’s a cross-platform runtime that can be installed independently, bundled into application folders, or baked into container images. Microsoft’s fix will ship as a revised NuGet package and an updated shared runtime, but simply running Windows Update won’t touch those.
Consider these common deployment scenarios:
- Framework-dependent apps on Windows Server or Linux use a shared system-wide runtime. Patching the host with the latest .NET runtime update (often via a package manager or a standalone installer) does deliver the fix — but only after you restart the application to load the new bits.
- Self-contained deployments carry their own copy of the .NET runtime inside the publish folder. Updating the host machine does absolutely nothing for these apps. You must republish them with a patched SDK and redeploy the entire output.
- Containerized apps (whether Windows or Linux containers) inherit the runtime from a base image. Pulling an updated base image doesn’t retroactively fix images you’ve already built. You’ll need to rebuild your application images, push them to a registry, and redeploy containers — a full CI/CD cycle.
- Azure-hosted services like App Service or Azure Functions might auto-patch the underlying platform, but if you’ve used a custom container or a self-contained deployment, you remain on the hook.
Your Action Plan: Inventory, Patch, Rebuild
Start by finding every ASP.NET Core workload in your environment — even the ones you forgot about. Internal APIs, admin portals, build agents, and vendor-supplied applications all count. Use these commands and clues:
- On servers, run
dotnet --list-runtimesto see installed shared runtimes. Look forMicrosoft.AspNetCore.Appentries. Compare the version against Microsoft’s list of fixed releases once published. - For deployed applications, check for
.runtimeconfig.jsonfiles in publish directories. Inside, theruntimeOptions.frameworksection reveals whether the app targets a shared framework. - Scan your container registries and running pods for images based on
mcr.microsoft.com/dotnet/aspnetormcr.microsoft.com/dotnet/sdk. Even stopped containers may need to be rebuilt. - If you generate software bills of materials (SBOMs), filter for ASP.NET Core components. These can pinpoint affected apps quickly.
Once you’ve mapped the landscape, apply fixes according to the deployment type:
Framework-Dependent Apps
- Update the host’s .NET runtime to the patched version via your normal channel (MSI installer, Linux package manager, or Azure Update Manager).
- Restart the application pool (IIS) or the Kestrel process to pick up the new runtime.
- Verify with
dotnet --infoor by checking the app’s response headers after restart.
Self-Contained Apps
- Install the patched .NET SDK on your build machine.
- Republish the application (e.g.,
dotnet publish -c Release). - Replace the existing deployment folder on the target server with the new output.
- Restart the application.
Containerized Apps
- Update your Dockerfile’s
FROMstatement to a base image that includes the fix (once Microsoft publishes updated tags). - Rebuild the image, push it to your registry, and update your deployments (e.g.,
kubectl rollout restartor redeploy your service). - Update any CI/CD pipeline references to pinned base-image digests or version numbers.
A critical pitfall: after patching a shared runtime, you might run an old container or self-contained app that still loads the vulnerable bits. Don’t assume one patch covers everything. Separate your compliance reports into “host runtime” and “application artifact” checks.
General Hardening Steps
While you’re at it, review these settings to limit blast radius:
- Run application pools and Kestrel services under dedicated, least-privilege accounts.
- Restrict write access to deployment directories, configuration files, and Data Protection key stores.
- Ensure authentication and authorization middleware is correctly configured — test policies after patching.
- Keep proxy, endpoint, and identity logs for at least 30 days so you can hunt for post-compromise indicators later.
The Bigger Picture: .NET’s Deployment Diversity
This isn’t the first time ASP.NET Core’s flexible hosting model has complicated patching, and it won’t be the last. Since .NET Core 1.0, Microsoft has moved away from a monolithic framework tied to Windows. The payoff is speed and portability, but the tradeoff is that security updates become your responsibility, not something a centralized service can handle. CVE-2026-47303 is a sharp reminder that “patch Tuesday” doesn’t always equal “done.”
Microsoft will likely flesh out the advisory with a CVSS score, affected version ranges, and possibly a more detailed FAQ in the coming days. Until then, the safest path is to assume any ASP.NET Core runtime without today’s patch is vulnerable. The fact that the vulnerability is only “confirmed” rather than “exploitation detected” doesn’t buy you much time — if history is any guide, attackers will deconstruct the fix within hours of its release.
What to Watch Next
Keep your eyes glued to the Microsoft Security Update Guide for CVE-2026-47303. As Microsoft adds affected software lists, CVSS details, and mitigation guidance, your triage priorities may shift. Also monitor GitHub’s .NET announcement repository and the official .NET blog for runtime download links. If you’re an enterprise customer, check your Microsoft Defender portal for any related detection signals — though without attack details, alerts may be generic.
In the meantime, move fast but systematically: inventory, identify every deployment model, apply the right patch for each, and rebuild anything that didn’t come from a shared runtime update. This isn’t a one-click fix, but with the right process, it’s entirely manageable.