It happened again. Microsoft’s July 14, 2026 Patch Tuesday delivered a fix for a high-severity .NET vulnerability that lets remote attackers bypass cryptographic signature checks with no user interaction. Tracked as CVE-2026-47304, the flaw scored an 8.1 on the CVSS 3.1 scale, meaning an unauthenticated attacker on the network can abuse the bug to compromise confidentiality, integrity, and availability of data. If you develop or run .NET applications, this is not a drill.
The Vulnerability and Its Fix
Microsoft confirmed the flaw stems from improper verification of a cryptographic signature inside the .NET runtime. Attackers can craft signed data that the vulnerable software accepts as legitimate, even though the authenticity hasn’t been properly established. That can open the door to accepting modified documents, loading tampered packages, or treating an attacker-controlled object as if it came from a trusted source.
The MSRC advisory maps the issue to two weakness categories: CWE-347 (Improper Verification of Cryptographic Signature) and CWE-345 (Insufficient Verification of Data Authenticity). These tell a clear story: the software’s signature-checking routine isn’t actually checking what it should. Crucially, Microsoft emphasizes that the problem lies not in the cryptographic algorithms themselves but in how the runtime validates the signatures those algorithms produce.
Servicing updates shipped across multiple channels on July 14, 2026. The .NET 8, .NET 9, and .NET 10 runtimes each received patched releases:
- .NET 8.0.29
- .NET 9.0.18
- .NET 10.0.10
For .NET Framework users, the fix arrived through standard Windows Update and the Microsoft Update Catalog. For instance, on Windows 10 version 22H2, KB5102203 covers .NET Framework 3.5, 4.8, and 4.8.1. Other supported Windows and Windows Server versions received their own corresponding packages.
Visual Studio was also affected. Microsoft lists these minimum version requirements:
- Visual Studio 2022 version 17.12 → 17.12.22
- Visual Studio 2022 version 17.14 → 17.14.36
- Visual Studio 2026 version 18.7 → 18.7.4
No workarounds or configuration-based mitigations exist, according to the advisory. Patching is the only reliable defense.
Are Your Systems Affected? The Product List Is Bigger Than You Think
Early NVD records listed only the three Visual Studio product lines, which might trick some admins into ignoring the .NET runtimes. Don’t fall for it. Microsoft’s servicing announcement explicitly states that CVE-2026-47304 applies to .NET 8.0, .NET 9.0, .NET 10.0, .NET Framework, and Visual Studio. The initial CVE entry was still under enrichment on July 14; always refer to the vendor’s own guidance.
Who exactly needs to act?
- Developers and power users running any .NET 8.0.x, 9.0.x, or 10.0.x runtime on their machines—regardless of whether they’re building apps, running server software, or just tinkering.
- IT administrators overseeing servers, CI/CD pipelines, or container environments where .NET workloads execute.
- Anyone with Visual Studio installed—build agents, developer workstations, and offline layout images all count.
- Windows users and businesses with .NET Framework 3.5, 4.8, or 4.8.1 installed; the fix arrives through the regular Windows servicing channel.
Check your installed versions with a quick command:
dotnet --list-runtimes
Look for the version numbers in the output. If you see 8.0.28 or older, 9.0.17 or older, or 10.0.9 or older, you’re vulnerable. For Visual Studio, open the Help > About menu and verify the version number matches or exceeds the fixed ones listed above. For .NET Framework, ensure Windows Update has installed the latest security patches.
How Exploitation Could Work
Microsoft hasn’t published the exact API, protocol, or application workflow that is susceptible, but the vector is clear enough to understand the risk. Any .NET code that relies on cryptographic signatures to validate data—signed documents, authenticated API tokens, integrity-protected packages, digitally signed executables—could be vulnerable. An attacker who successfully exploits the bug can supply malicious data that the application treats as authentic.
The high attack complexity (AC:H in the CVSS vector) suggests exploitation depends on conditions outside the attacker’s direct control—perhaps a specific application configuration, a particular dependency, or a timing window. However, given that the attack requires no privileges and no user interaction, and works over a network, internet-facing services are the most obvious targets. Internal applications that process signed content are not automatically safe.
Because the flaw involves signature verification, the damage can ripple widely. A single compromised signature-check could allow an attacker to:
- Inject malicious code into a build pipeline that trusts a signed package.
- Submit forged authentication tokens to a web API.
- Bypass integrity checks on downloaded updates or plugins.
In short, the vulnerability turns a fundamental security mechanism into Swiss cheese.
Your Update Checklist: How to Patch Every .NET Surface Right Now
No one wants to be the admin who didn’t patch a high-severity bug. Here’s a step-by-step plan to get your house in order.
For .NET Runtime (framework-dependent apps)
If your applications rely on the shared runtime, updating the runtime on the machine automatically protects them. Grab the latest runtime from the official .NET download page or let your package manager do the work:
- Windows, macOS, Linux (package managers):
apt-get update && apt-get upgrade dotnet-runtime-8.0(or the equivalent for your distro). - Direct download: https://dotnet.microsoft.com/download/dotnet
After installing, run dotnet --list-runtimes again to confirm the new build numbers.
For Self-Contained Deployments
Self-contained apps bundle their own runtime. Installing a shared runtime patch on the host does nothing for them. You must:
- Install the updated SDK (matching the major version of your app).
- Republish the application with the fixed runtime:
dotnet publish -c Release -r win-x64 --self-contained true(adjust runtime identifier as needed). - Redeploy the new output to servers, desktops, or containers.
For Containers
Container images don’t automatically refresh just because the host OS received a patch. Rebuild your images from Microsoft’s refreshed base images—the .NET team typically publishes patched Docker Hub and MCR images within hours of a security release. For .NET 8.0, the base image tag becomes mcr.microsoft.com/dotnet/runtime:8.0.29. Update your Dockerfiles, rebuild, and verify that old image digests are no longer running in production.
For Visual Studio
Open the Visual Studio Installer, click “Update” for the affected version channel. If you manage offline layouts, regenerate them with the installer to pick up the latest bootstrapper. Build agents and CI workers running the IDE should be patched with the same urgency as developer machines—an unpatched build agent is just as vulnerable as a publicly exposed server.
For .NET Framework on Windows
Windows Update is your friend. On a standalone machine, check for updates and install KB5102203 (or the equivalent for your Windows version). In enterprise environments, push the update via WSUS, Microsoft Configuration Manager, or Windows Update for Business. The SANS Internet Storm Center reports that this update was not flagged as having known issues, but as always, deploy in rings to catch any unexpected regressions.
A note on verification
After patching, use the version-checking commands mentioned earlier. On servers that retain multiple runtimes, ensure that the old, vulnerable version isn’t still sitting around—uninstall it if it’s not needed. For self-contained apps and containers, a quick scan of your deployment manifests and image tags will confirm that the new runtime is in place.
The Bigger Picture: Why This CVE Matters
It’s easy to get numb to Patch Tuesday bulletins, but CVE-2026-47304 demands attention because of what it breaks. Cryptographic signatures are the spine of trust in modern software—they assure us that code updates are genuine, that REST API calls haven’t been tampered with, that NuGet packages are what the author published. A flaw in the verification step is like having a lock on your door that sometimes just doesn’t engage.
Microsoft has not disclosed the specific component or API affected, which limits incident response teams from building targeted detections. Without a known pattern to hunt for, version-based remediation is the only sound strategy. The CVSS temporal metrics indicate the vulnerability was not publicly disclosed or under active exploitation at the time of release, but that window won’t stay open long. Proof-of-concept research often follows Patch Tuesday announcements, especially for bugs with such an attractive exploit profile.
Admins should also note that this is not a standalone one-time patch. The July 2026 .NET updates bundle several security and non-security improvements, so tracking them into your change management calendar is a healthy habit. Consider turning on automatic runtime updates for dev environments (e.g., using dotnet tool install -g dotnet-update) to stay current without manual intervention.
Looking Ahead
Microsoft hasn’t hinted at when deeper technical disclosure might come, but the .NET security blog often posts in-depth retrospectives after the fix has had time to propagate. Developers should watch for those deep-dives; they often include sample code, detection guidance, and impact summaries that can help fine-tune defenses.
If you haven’t patched yet, today is the day. The fix is available, the vector is reachable over a network, and the only thing standing between your systems and a signature-bypass attack is an out-of-date runtime. Update .NET, update Visual Studio, and verify your work. Then grab a coffee and check the next advisory.