Microsoft .NET Core (.NET Framework) Changelog

What's new in Microsoft .NET Core (.NET Framework) 8.0.3 Runtime

Mar 13, 2024

Notable Changes:
.NET 8.0.3 release carries security and non-security fixes.
CVE-2024-21392 | .NET Denial of Service Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 8.0 . This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in .NET where specially crafted requests may cause a resource leak, leading to a Denial of Service
CVE-2024-26190 | Microsoft QUIC Denial of Service Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 8.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A Vulnerability exist in MsQuic.dll which might result in a peer to allocate small chunks of memory as long as connection stays alive.

New in Microsoft .NET Core (.NET Framework) 8.0.2 Runtime (Feb 14, 2024)

New in Microsoft .NET Core (.NET Framework) 8.0.1 Runtime (Jan 9, 2024)

NET 8.0.1 release carries security and non-security fixes.
CVE-2024-0056 - Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider Information Disclosure Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET's System.Data.SqlClient and Microsoft.Data.SqlClient NuGet Packages. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in the Microsoft.Data.SqlClient and System.Data.SqlClient SQL Data provider where an attackercan perform an AiTM (adversary-in-the-middle) attack between the SQL client and the SQL server. This may allow the attacker to steal authentication credentials intended for the database server, even if the connection is established over an encrypted channel like TLS.
CVE-2024-0057- .NET Security Feature bypass Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 7.0 and .NET 8.0 . This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A security feature bypass vulnerability exists when Microsoft .NET Framework-based applications use X.509 chain building APIs but do not completely validate the X.509 certificate due to a logic flaw. An attacker could present an arbitrary untrusted certificate with malformed signatures, triggering a bug in the framework. The framework will correctly report that X.509 chain building failed, but it will return an incorrect reason code for the failure. Applications which utilize this reason code to make their own chain building trust decisions may inadvertently treat this scenario as a successful chain build. This could allow an adversary to subvert the app's typical authentication logic.
CVE-2024-21319 - .NET Denial of Service Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in the ASP.NET Core project templates. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A Denial of Service vulnerability exists in ASP.NET Core project templates which utilize JWT-based authentication tokens. This vulnerability allows an unauthenticated client to consume arbitrarily large amounts of server memory, potentially triggering an out-of-memory condition on the server and making the server no longer able to respond to legitimate requests.

New in Microsoft .NET Core (.NET Framework) 8.0.0 Runtime (Nov 16, 2023)

With this release, .NET reshapes the way we build intelligent, cloud-native applications and high-traffic services that scale on demand. Whether you’re deploying to Linux or Windows, using containers or a cloud app model of your choice, .NET 8 makes building these apps easier. It includes a set of proven libraries that are used today by the many high-scale services at Microsoft to help you with fundamental challenges around observability, resiliency, scalability, manageability, and more.
Integrate large language models (LLMs) like OpenAI’s GPT directly into your .NET app. Use a single powerful component model to handle all your web UI needs with Blazor. Deploy your mobile applications to the latest version of iOS and Android with .NET MAUI. Discover new language enhancements that make your code more concise and expressive with C# 12.
Let’s look at what’s new in .NET 8.
Unparalleled Performance – Experience the fastest .NET to date:
.NET 8 comes with thousands of performance improvements across the stack. A new code generator called Dynamic Profile-Guided Optimization (PGO) that optimizes your code based on real-world usage is enabled by default and can improve the performance of your apps up to 20%. The AVX-512 instruction set, which is now supported, enables you to perform parallel operations on 512-bit vectors of data, meaning you can process much more data in less time. The primitive types (numerical and beyond) now implement a new formattable and parsable interface, which enable them to directly format and parse as UTF-8 without any transcoding overhead.
Every year we talk about the performance gains across .NET. This year we continue our quest to push the performance of .NET to new heights. From the latest TechEmpower benchmarks with .NET 8, we’re seeing improvements in the JSON API scenario of 18%, hitting nearly one million requests per second with ASP.NET Core Minimal APIs.
The Fortunes scenario is closer to a real-world workload, including database access and server-side HTML rendering. In this test, we see an even larger improvement of 24%, now over 300K requests per second with ASP.NET Core.
.NET Aspire – An opinionated stack to build observable, production-ready cloud-native applications:
.NET Aspire is a stack for building resilient, observable, and configurable cloud-native applications with .NET. It includes a curated set of components enhanced for cloud-native by including telemetry, resilience, configuration, and health checks by default. Combined with a sophisticated but simple local developer experience, .NET Aspire makes it easy to discover, acquire, and configure essential dependencies for cloud-native applications on day 1 as well as day 100. The first preview of .NET Aspire is available today.
.NET 8 Container Enhancements – More secure, compact, and productive:
Package your applications with containers more easily and more securely than ever with .NET. Every .NET image includes a non-root user, enabling more secure containers with one-line configuration. The .NET SDK tooling publishes container images without a Dockerfile and are non-root by default. Deploy your containerized apps faster due to smaller .NET base images – including new experimental variants of our images that deliver truly minimal application sizes for native AOT. Opt-in to even more security hardening with the new Chiseled Ubuntu image variants to reduce your attack surface even further. Using Dockerfiles or SDK tooling, build apps and container images for any architecture.
Native AoT – Journey towards higher density sustainable compute:
Compile your .NET apps into native code that uses less memory and starts instantly. No need to wait for the JIT (just-in-time) compiler to compile the code at run time. No need to deploy the JIT compiler and IL code. AOT apps deploy just the code that’s needed for your app. Your app is now empowered to run in restricted environments where a JIT compiler isn’t allowed.
Artificial Intelligence – Infuse AI into your .NET applications:
Generative AI and large language models are transforming the field of AI, providing developers the ability to create unique AI-powered experiences in their applications. .NET 8 makes it simple for you to leverage AI via first-class out-of-the box AI features in the .NET SDK and seamless integration with several tools.
.NET 8 brings several enhancements to the System.Numerics library to improve its compatibility with Generative AI workloads, such as integrating Tensor Primitives. With the rise of AI-enabled apps, new tools and SDKs emerged. We collaborated with numerous internal and external partners, such as Azure OpenAI, Azure Cognitive Search, Milvus, Qdrant, and Microsoft Teams, to ensure .NET developers have easy access to various AI models, services, and platforms through their respective SDKs. Additionally, the open-source Semantic Kernel SDK simplifies the integration of these AI components into new and existing applications, to help you deliver innovative user experiences.
Various samples and reference templates, showcasing patterns and practices, are now available to make it easy for developers to get started:
Customer Chatbot
Retrieval Augmented Generation
Developing Apps using Azure AI services
Blazor – Build full stack web applications with .NET:
Blazor in .NET 8 can use both the server and client together to handle all your web UI needs. It’s full stack web UI! With several new enhancements focused towards optimizing page load time, scalability, and elevating the user experience, developers can now use Blazor Server and Blazor WebAssembly in the same app, automatically shifting users from the server to the client at run time. Your .NET code runs significantly faster on WebAssembly thanks to the new “Jiterpreter”-based runtime and new built-in components. As a part enhancing the overall authentication, authorization, and identity management in .NET 8, Blazor now supports generating a full Blazor-based Identity UI.
.NET MAUI – Elevated performance, reliability, and developer experience:
.NET MAUI provides you with a single project system and single codebase to build WinUI, Mac Catalyst, iOS, and Android applications. Native AOT (experimental) now supports targeting iOS-like platforms. A new Visual Studio Code extension for .NET MAUI gives you the tools you need to develop cross-platform .NET mobile and desktop apps. Xcode 15 and Android API 34 are now supported allowing you to target the latest version of iOS and Android. A plethora of quality improvements were made to the areas of performance, controls and UI elements, and platform-specific behavior, such as desktop interaction adding better click handling, keyboard listeners, and more.
C# 12 Features – Simplified syntax for better developer productivity:
C# 12 makes your coding experience more productive and enjoyable. You can now create primary constructors in any class and struct with a simple and elegant syntax. No more boilerplate code to initialize your fields and properties. Be delighted when creating arrays, spans, and other collection types with a concise and expressive syntax. Use new default values for parameters in lambda expressions. No more overloading or null checks to handle optional arguments. You can even use the using alias directive to alias any type, not just named types!
.NET 8 support across Visual Studio family of tools:
We have a set of great tools that help you be the most productive in your development workflow and take advantage of .NET 8 today. Released alongside .NET 8, the Visual Studio 2022 17.8 release brings support for .NET 8, C# 12 language enhancements, and various new productivity features. VS Code and C# Dev Kit is a great way to get started with .NET 8 if you’re learning and/or want to quickly kick the tires of the runtime and is available on Linux, macOS, or in GitHub Codespaces. The new GitHub Codespaces template for .NET, which comes with the .NET SDK and a set of configured extensions, is one of the fastest ways to get started with .NET 8.
Additional features in .NET 8:
ASP.NET Core. Streamlines identity for single-page applications (SPA) and Blazor providing cookie-based authentication, pre-built APIs, token support, and a new identity UI. and enhances minimal APIs with form-binding, antiforgery support to protect against cross-site request forgery (XSRF/CSRF), and asParameters support for parameter-binding with Open API definitions
ASP.NET Core tooling. Route syntax highlighting, auto-completion, and analyzers to help you create Web APIs.
Entity Framework Core. Provides new “complex types” as value objects, primitive collections, and SQL Server support for hierarchical data.
NuGet. Helps you audit your NuGet packages in projects and solutions for any known security vulnerabilities.
.NET Runtime. Brings a new AOT compilation mode for WebAssembly (WASM) and Android.
.NET SDK. Revitalizes terminal build output and production-ready defaults.
WPF. Supports OpenFolderDialog and Enabled HW Acceleration in RDP
ARM64. Significant feature enhancements and improved code quality for ARM64 platforms through collaboration with ARM engineers.
Debugging. Displays debug summaries and provides simplified debug proxies for commonly used .NET types.
System.Text.Json. Helps populate read-only members, customizes unmapped member handling, and improves Native AOT support.
.NET Community Toolkit. Accelerates building .NET libraries and applications while ensuring they are trim and AOT compatible (including the MVVM source generators!)
Azure. Supports .NET 8 with Azure’s PaaS services like App Service for Windows and Linux, Static Web Apps, Azure Functions, and Azure Container Apps.
F# 8. Includes significant language changes, new diagnostics, improvements in usability, and performance enhancements in project compilation, as well as upgrades to the FSharp.Core standard library.
What’s new in .NET 8. Check out our documentation for everything else!

New in Microsoft .NET Core (.NET Framework) 7.0.13 Runtime (Oct 24, 2023)

Notable Changes:
.NET 7.0.13 release carries security fixes.
Note: The vulnerabilities CVE-2023-36792, CVE-2023-36793, CVE-2023-36794, CVE-2023-36796 are all resolved by a single patch. Get this update to resolve all of them.
CVE-2023-36792 - .NET Remote Code Execution Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36793 - .NET Remote Code Execution Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36794 - .NET Remote Code Execution Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36796 - .NET Remote Code Execution Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36799 - .NET Denial of Service Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET where reading a maliciously crafted X.509 certificate may result in Denial of Service. This issue only affects Linux systems.
CVE-2023-44487 - .NET Denial of Service Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 8.0 RC1, .NET 7.0 ,and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A vulnerability exists in the ASP.NET Core Kestrel web server where a malicious client may flood the server with specially crafted HTTP/2 requests, causing denial of service.
CVE-2023-38171 - .NET Denial of Service Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 8.0 RC1. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A null pointer vulnerability exists in MsQuic.dll which may lead to Denial of Service. This issue only affects Windows systems.
CVE-2023-36435 - .NET Denial of Service Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 8.0 RC1. This advisory also provides guidance on what developers can do to update their applications to address this vulnerability.
A memory leak vulnerability exists in MsQuic.dll which may lead to Denial of Service. This issue only affects Windows systems.

New in Microsoft .NET Core (.NET Framework) 7.0.12 Runtime (Oct 10, 2023)

New in Microsoft .NET Core (.NET Framework) 7.0.11 Runtime (Sep 13, 2023)

NET 7.0.11 release carries security fixes:
Note: The vulnerabilities CVE-2023-36792, CVE-2023-36793, CVE-2023-36792, CVE-2023-36796 are all resolved by a single patch. Get this update to resolve all of them.
CVE-2023-36792 - .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36793 - .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36794 - .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36796 - .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in Microsoft.DiaSymReader.Native.amd64.dll when reading a corrupted PDB file which may lead to remote code execution. This issue only affects Windows systems.
CVE-2023-36799 - .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET where reading a maliciously crafted X.509 certificate may result in Denial of Service. This issue only affects Linux systems.
Additional fixes in this release:
SDK - [Containers] validate that the normalized repository name is a meaningful name
Runtime

New in Microsoft .NET Core (.NET Framework) 8.0.0 Preview 7 Runtime / 8.0.100 Preview 7 SDK (Aug 15, 2023)

EntityFramework Core:
Bugs:
Bug/annying breaking change in EF Core 8 scaffolding
EF Core 6 and newer scaffolding skips foreign keys on tables with multiple references
Binary breaking changes in NavigationEntry in EF Core 8.0
Query/Json: data corruption for tracking queries with nested json entities, then updating nested entities outside EF and re-querying
Race condition in VB tests
Features:
Documentation: Update code snippets in README files with using declarations (without braces)
Optimized translation for indexing of JSON primitive collections
Implement JSON serialization/deserialization via Utf8JsonReader/Utf8JsonWriter
How to do a missing migration check in CI
Update pattern for scaffolding column default constraints
.NET SDK:
Should APICompat PackageValidation's EnableStrictModeForCompatibleTfms default to true? Area-ApiCompat
Downlevel wasm tests fail on net60x runtime pack download Area-Workloads Known Build Error
NET SDK first run experience should be OS-specific Area-NetSDK
GenAPI cannot decode records when reading from metadata Area-GenAPI
80 preview 3] NuGet package validation fails when UseArtifactsOutput=true Area-ApiCompat untriaged
Add support for --disable-build-servers to more MSBuild-driven commands Area-CLI
NETSDKE2E][VS64]On VS 176 preview 3 which carries NET 8 preview 2 sdk, installing maui template failed with error "Workload ID maui is not recognized" Area-Workloads
GenAPI] Add unsafe keyword if the calls of the base constructor is unsafe Area-GenAPI untriaged
Enable using docker build --platform switch (easily) Area-NetSDK good first issue help wanted User Story
Enable dotnet SDK to support targeting iOS with NativeAOT Area-NativeAOT
tasks done
Disable inclusion of IIS hosting assets (ANCM & webconfig) in publish output when PublishNativeAot=true Area-NativeAOT Area-WebSDK
dotnet-watch tool missing in SDK Area-Watch Bug
Single file is broken in NET 8 area-Single-File
GenAPI] Support the msbuild task to run on NET Framework Area-GenAPI
PublishAot warning with net80 Area-NativeAOT
MicrosoftDotNetCompatibilityValidatePackage task throws exception if PackageVersion has build metadata Area-ApiCompat
EnablePackageValidation reports CP1003 when multitargeting windows lib Area-ApiCompat Bug
API Compat implements functionality for checking internal API but does not expose it Area-ApiCompat
Trying to build with PublishAot=true on Mac ARM results in restore failure Area-NativeAOT
Remove obsolete suppressions when re-generating suppression files Area-ApiCompat
Test MicrosoftNETPublishTestsGivenThatWeWantToPublishAClickOnceProjectPublishClickOnceWithPublishProfile failed in CI Area-Infrastructure
Enable workloads on arm64 Area-Workloads Epic of 14 tasks
PublishRelease with t:publish, and Publishing as Release by Default Area-NetSDK Cost:M Priority:2 untriaged of 5 tasks
API Compat] add triple slash comments on all rules Area-ApiCompat
Users can build and publish container images for their applications natively Area-NetSDK User Story

New in Microsoft .NET Core (.NET Framework) 7.0.10 Runtime (Aug 9, 2023)

New in Microsoft .NET Core (.NET Framework) 6.0.19 Runtime LTS / 6.0.411 SDK LTS (Jun 23, 2023)

New in Microsoft .NET Core (.NET Framework) 7.0.7 Runtime (Jun 14, 2023)

.NET 7.0.7 release carries security fixes:
CVE-2023-24895 - .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in how WPF for .NET handles certain XAML Frame elements which may result in remote code execution.
CVE-2023-24897 - .NET Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in how .NET reads debugging symbols, where reading a malicious symbols file may result in remote code execution.
CVE-2023-24936 - .NET Elevation of Privilege Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET when deserializing a DataSet or DataTable from XML which may result in elevation of privileges.
CVE-2023-29331 - .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET when processing X.509 certificates that may result in Denial of Service.
CVE-2023-29337 - NuGet Client Remote Code Execution Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET and NuGet on Linux. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in nuget where a potential race condition that can lead to a symlink attack
CVE-2023-32032 - .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET using extracting the contents of a Tar file which may result in elevation of privileges.
CVE-2023-33126 - .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET during crash and stack trace scenarios that could lead to loading arbitrary binaries.
CVE-2023-33128 - .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in .NET source generator for P/Invokes that can lead to generated code freeing uninitialized memory and crashing.
CVE-2023-33135 - .NET Denial of Service Vulnerability
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 7.0 and .NET 6.0. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
A vulnerability exists in the .NET SDK during tool restore which can lead to an elevation of privilege.
Additional fixes in this release:
ASPNET
Efcore
Runtime
Winforms
Visual Studio Compatibility:
You need Visual Studio 17.4 or later to use .NET 7.0 on Windows. On macOS, you need the latest version of Visual Studio for Mac. The C# extension for Visual Studio Code supports .NET 7.0 and C# 11.

New in Microsoft .NET Core (.NET Framework) 7.0.5 Runtime (Apr 11, 2023)

New in Microsoft .NET Core (.NET Framework) 6.0.15 Runtime LTS / 6.0.407 SDK LTS (Mar 15, 2023)

New in Microsoft .NET Core (.NET Framework) 7.0.2 Runtime / 7.0.102 SDK (Jan 11, 2023)

New in Microsoft .NET Core (.NET Framework) 7.0.0 Runtime / 7.0.100 SDK (Nov 9, 2022)

.NET 7 is the successor to .NET 6 and focuses on being unified, modern, simple, and fast. .NET 7 will be supported for 18 months as a standard-term support (STS) release (previously known as a current release).
This article lists the new features of .NET 7 and provides links to more detailed information on each.
Performance:
Performance is a key focus of .NET 7, and all of its features are designed with performance in mind. In addition, .NET 7 includes the following enhancements aimed purely at performance:
On-stack replacement (OSR) is a complement to tiered compilation. It allows the runtime to change the code executed by a currently running method in the middle of its execution (that is, while it's "on stack"). Long-running methods can switch to more optimized versions mid-execution.
Profile-guided optimization (PGO) now works with OSR and is easier to enable (by adding <TieredPGO>true</TieredPGO> to your project file). PGO can also instrument and optimize additional things, such as delegates.
Improved code generation for Arm64.
Native AOT produces a standalone executable in the target platform's file format with no external dependencies. It's entirely native, with no IL or JIT, and provides fast startup time and a small, self-contained deployment. In .NET 7, Native AOT focuses on console apps and requires apps to be trimmed.
Performance improvements to the Mono runtime, which powers Blazor WebAssembly, Android, and iOS apps.
System.Text.Json serialization:
.NET 7 includes improvements to System.Text.Json serialization in the following areas:
Contract customization gives you more control over how types are serialized and deserialized. For more information, see Customize a JSON contract.
Polymorphic serialization for user-defined type hierarchies. For more information, see Serialize properties of derived classes.
Support for required members, which are properties that must be present in the JSON payload for deserialization to succeed. For more information, see Required properties.
For information about these and other updates, see the What's new in System.Text.Json in .NET 7 blog post.
Generic math:
.NET 7 and C# 11 include innovations that allow you to perform mathematical operations generically—that is, without having to know the exact type you're working with. For example, if you wanted to write a method that adds two numbers, previously you had to add an overload of the method for each type. Now you can write a single, generic method, where the type parameter is constrained to be a number-like type. For more information, see the Generic math article and the Generic math blog post.
Regular expressions:
.NET's regular expression library has seen significant functional and performance improvements in .NET 7:
The new option RegexOptions.NonBacktracking enables matching using an approach that avoids backtracking and guarantees linear-time processing in the length of the input. The nonbacktracking engine can't be used in a right-to-left search and a has a few other restrictions, but is fast for all regular expressions and inputs.
Regular expression source generators are new. Source generators build an engine that's optimized for your pattern at compile time, providing throughput performance benefits. The source that's emitted is part of your project, so you can view and debug it. In addition, a new source-generator diagnostic SYSLIB1045 alerts you to places you use Regex that could be converted to the source generator. For more information, see .NET regular expression source generators.
For case-insensitive searches, .NET 7 includes large performance gains. The gains come because specifying RegexOptions.IgnoreCase no longer calls ToLower on each character in the pattern and on each character in the input. Instead, all casing-related work is done when the Regex is constructed.
Observability:
.NET 7 makes improvements to observability. Observability helps you understand the state of your app as it scales and as the technical complexity increases. .NET's observability implementation is primarily built around OpenTelemetry. Improvements include:
The new Activity.CurrentChanged event, which you can use to detect when the span context of a managed thread changes.
New, performant enumerator methods for Activity properties: EnumerateTagObjects(), EnumerateLinks(), and EnumerateEvents().
For more information, see the .NET 7 Preview 4 blog post.
.NET SDK:
The .NET 7 SDK improves the CLI template experience. It also enables publishing to containers, and central package management with NuGet.
Templates:
Some welcome improvements have been made to the dotnet new command and to template authoring.
Regex now supports spans for some APIs. The following new methods have been added as part of this support:
Regex.EnumerateMatches
Regex.Count
Regex.IsMatch(ReadOnlySpan<Char>) (and a few other overloads)
For more information about these and other improvements, see the Regular expression improvements in .NET 7 blog post.
.NET libraries:
Many improvements have been made to .NET library APIs. Some are mentioned in other, dedicated sections of this article.
dotnet new:
The dotnet new CLI command, which creates a new project, configuration file, or solution based on a template, now supports tab completion for exploring:
Available template names
Template options
Allowable option values
In addition, for better conformity, the install, uninstall, search, list, and update subcommands no longer have the -- prefix.
Authoring:
Template constraints, a new concept for .NET 7, let you define the context in which your templates are allowed. Constraints help the template engine determine which templates it should show in commands like dotnet new list. You can constrain your template to an operating system, a template engine host (for example, the .NET CLI or New Project dialog in Visual Studio), and an installed workload. You define constraints in your template's configuration file.
Also in the template configuration file, you can now annotate a template parameter as allowing multiple values. For example, the web template allows multiple forms of authentication
Publish to a container:
Containers are one of the easiest ways to distribute and run a wide variety of applications and services in the cloud. Container images are now a supported output type of the .NET SDK, and you can create containerized versions of your applications using dotnet publish. For more information about the feature, see Announcing built-in container support for the .NET SDK. For a tutorial, see Containerize a .NET app with dotnet publish.
Central package management:
You can now manage common dependencies in your projects from one location using NuGet's central package management (CPM) feature. To enable it, you add a Directory.Packages.props file to the root of your repository. In this file, set the MSBuild property ManagePackageVersionsCentrally to true and add versions for common package dependency using PackageVersion items. Then, in the individual project files, you can omit Version attributes from any PackageReference items that refer to centrally managed packages.
For more information, see Central package management.
P/Invoke source generation:
.NET 7 introduces a source generator for platform invokes (P/Invokes) in C#. The source generator looks for LibraryImportAttribute on static, partial methods to trigger compile-time source generation of marshalling code. By generating the marshalling code at compile time, no IL stub needs to be generated at run time, as it does when using DllImportAttribute. The source generator improves application performance and also allows the app to be ahead-of-time (AOT) compiled. For more information, see Source generation for platform invokes and Use custom marshallers in source-generated P/Invokes.

New in Microsoft .NET Core (.NET Framework) 7.0.0 RC 1 Runtime / 7.0.100 RC 1 SDK (Sep 15, 2022)

New in Microsoft .NET Core (.NET Framework) 7.0.0 Preview 5 Runtime / 7.0.100 Preview 5 SDK (Jun 15, 2022)

New in Microsoft .NET Core (.NET Framework) 7.0.0 Preview 3 Runtime / 7.0.100 Preview 3 SDK (Apr 14, 2022)

New in Microsoft .NET Core (.NET Framework) 6.0.4 Runtime LTS / 6.0.202 SDK LTS (Apr 13, 2022)

New in Microsoft .NET Core (.NET Framework) 6.0.1 Runtime LTS (Dec 16, 2021)

.NET Multi-Platform App UI (MAUI) Preview Workload Downloads:
.NET 6 introduces Android, iOS, and macOS SDKs for developing native applications. These provide the foundational mobile and desktop pieces for the new .NET MAUI. See documentation for additional setup instructions and creating your first .NET MAUI application.
Windows SDK Updates:
.NET SDK 6.0.101 includes several fixes to the Windows SDK targeting packages produced by C#/WinRT 1.4.1.
Docker Images:
The .NET Docker images have been updated for this release. The .NET Docker samples show various ways to use .NET and Docker together. You can use the following command to try running the latest .NET 6.0 release in containers: docker run --rm mcr.microsoft.com/dotnet/samples
The following repos have been updated:
dotnet/sdk: .NET SDK
dotnet/aspnet: ASP.NET Core Runtime
dotnet/runtime: .NET Runtime
dotnet/runtime-deps: .NET Runtime Dependencies
dotnet/samples: .NET Samples
Notable Changes
Microsoft Security Advisory CVE-2021-43877 | ASP.NET Core Elevation of privilege Vulnerability
Executive summary
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET and .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
An elevation of privilege vulnerability exists in ASP.NET Core Module (ANCM) that could allow elevation of privilege when .NET Core, .NET 5 and .NET 6 applications are hosted within IIS.
Deployment Update:
Customers that have opted to receive .NET Core updates via the Microsoft Update channel will be offered updates to the Hosting Bundle starting with the December 2021 update. Updates for other .NET Core bundles (.NET Core Runtime, ASP.NET Core Runtime, Windows Desktop Runtime, and SDK) have been offered via Microsoft Update to customers that opt in since December 2020. See this blog post for more information.
Visual Studio Compatibility:
You need Visual Studio 17.0 or later to use .NET 6.0 on Windows. On macOS, you need the latest version of Visual Studio for Mac. The C# extension for Visual Studio Code supports .NET 6.0 and C# 10.0.
Known Issue:
There have been limited reports of a failure to install the update via Microsoft Update on Windows 11. The update fails with error code 0x80070643. A workaround is to install the package that is failing manually by downloading it from the .NET 6.0.101 x64 SDK download site, then scanning again. This issue is tracked on dotnet/issue#7044.

New in Microsoft .NET Core (.NET Framework) 6.0.0 Runtime (Nov 9, 2021)

.NET 6 delivers the final parts of the .NET unification plan that started with .NET 5. .NET 6 unifies the SDK, base libraries, and runtime across mobile, desktop, IoT, and cloud apps. In addition to this unification, the .NET 6 ecosystem offers:
Simplified development: Getting started is easy. New language features in C# 10 reduce the amount of code you need to write. And investments in the web stack and minimal APIs make it easy to quickly write smaller, faster microservices.
Better performance: .NET 6 is the fastest full stack web framework, which lowers compute costs if you're running in the cloud.
Ultimate productivity: .NET 6 and Visual Studio 2022 provide hot reload, new git tooling, intelligent code editing, robust diagnostics and testing tools, and better team collaboration.
.NET 6 will be supported for three years as a long-term support (LTS) release.
Preview features are disabled by default. They are also not supported for use in production and may be removed in a future version. The new RequiresPreviewFeaturesAttribute is used to annotate preview APIs, and a corresponding analyzer alerts you if you're using these preview APIs.
.NET 6 is supported by Visual Studio 2022 and Visual Studio 2022 for Mac (and later versions).
Performance:
.NET 6 includes numerous performance improvements. This section lists some of the improvements. For detailed information, see the Performance improvements in .NET 6 blog post.
FileStream:
The System.IO.FileStream type has been rewritten for .NET 6 to provide better performance and reliability on Windows. Now, FileStream never blocks when created for asynchronous I/O on Windows. For more information, see the File IO improvements in .NET 6 blog post.
Profile-guided optimization:
Profile-guided optimization (PGO) is where the JIT compiler generates optimized code in terms of the types and code paths that are most frequently used. .NET 6 introduces dynamic PGO. Dynamic PGO works hand-in-hand with tiered compilation to further optimize code based on additional instrumentation that's put in place during tier 0. Dynamic PGO is disabled by default, but you can enable it with the DOTNET_TieredPGO environment variable. For more information, see JIT performance improvements.
Crossgen2:
.NET 6 introduces Crossgen2, the successor to Crossgen, which has been removed. Crossgen and Crossgen2 are tools that provide ahead-of-time (AOT) compilation to improve the startup time of an app. Crossgen2 is written in C# instead of C++, and can perform analysis and optimization that weren't possible with the previous version. For more information, see Conversation about Crossgen2.
Arm64 support:
The .NET 6 release includes support for macOS Arm64 (or "Apple Silicon") and Windows Arm64 operating systems, for both native Arm64 execution and x64 emulation. In addition, the x64 and Arm64 .NET installers now install side by side. For more information, see .NET Support for macOS 11 and Windows 11 for Arm64 and x64.
Hot reload:
Hot reload is a feature that lets you modify your app's source code and instantly apply those changes to your running app. The feature's purpose is to increase your productivity by avoiding app restarts between edits. Hot reload is available in Visual Studio 2022 and the dotnet watch command-line tool. Hot reload works with most types of .NET apps, and for C#, Visual Basic, and C++ source code. For more information, see the Hot reload blog post.
.NET MAUI:
.NET Multi-platform App UI (.NET MAUI) is still in preview, with a release candidate coming in the first quarter of 2022 and general availability (GA) in the second quarter of 2022. .NET MAUI makes it possible to build native client apps for desktop and mobile operating systems with a single codebase. For more information, see the Update on .NET Multi-platform App UI blog post.
C# 10 and templates:
C# 10 includes innovations such as global using directives, file-scoped namespace declarations, and record structs. For more information, see What's new in C# 10.
In concert with that work, the .NET SDK project templates for C# have been modernized to use some of the new language features:
async Main method
Top-level statements
Target-typed new expressions
Implicit global using directives
File-scoped namespaces
Nullable reference types
By adding these new language features to the project templates, new code starts with the features enabled. However, existing code isn't affected when you upgrade to .NET 6. For more information about these template changes, see the .NET SDK: C# project templates modernized blog post.
F# and Visual Basic:
F# 6 adds several improvements to the F# language and F# Interactive. For more information, see What's new in F# 6.
Visual Basic has improvements in the Visual Studio experience and Windows Forms project startup.
SDK Workloads:
To keep the size of the .NET SDK smaller, some components have been placed in new, optional SDK workloads. These components include .NET MAUI and Blazor WebAssembly AOT. If you use Visual Studio, it will take care of installing any SDK workloads that you need. If you use the .NET CLI, you can manage workloads using the new dotnet workload commands
System.Text.Json APIs:
Many improvements have been made in System.Text.Json in .NET 6, such that it is now an "industrial strength" serialization solution.
Source generator:
.NET 6 adds a new source generator for System.Text.Json. Source generation works with JsonSerializer and can be configured in multiple ways. It can improve performance, reduce memory usage, and facilitate assembly trimming. For more information, see How to choose reflection or source generation in System.Text.Json and How to use source generation in System.Text.Json.
Writeable DOM:
A new, writeable document object model (DOM) has been added, which supplements the pre-existing read-only DOM. The new API provides a lightweight serialization alternative for cases when use of plain old CLR object (POCO) types isn't possible. It also allows you to efficiently navigate to a subsection of a large JSON tree and read an array or deserialize a POCO from that subsection. The following new types have been added to support the writeable DOM:
JsonNode
JsonArray
JsonObject
JsonValue
For more information, see JSON DOM choices.
IAsyncEnumerable serialization:
System.Text.Json now supports serialization and deserialization with IAsyncEnumerable<T> instances. Asynchronous serialization methods enumerate any IAsyncEnumerable<T> instances in an object graph and then serialize them as JSON arrays. For deserialization, the new method JsonSerializer.DeserializeAsyncEnumerable<TValue>(Stream, JsonSerializerOptions, CancellationToken) was added. For more information, see IAsyncEnumerable serialization.
Other new APIs:
New serialization interfaces for validation and defaulting values:
IJsonOnDeserialized
IJsonOnDeserializing
IJsonOnSerialized
IJsonOnSerializing
For more information, see Callbacks.
New property ordering attribute:
JsonPropertyOrderAttribute
For more information, see Configure the order of serialized properties.
New method to write "raw" JSON:
Utf8JsonWriter.WriteRawValue
For more information, see Write Raw JSON.
Synchronous serialization and deserialization to a stream:
JsonSerializer.Deserialize(Stream, Type, JsonSerializerOptions)
JsonSerializer.Deserialize(Stream, Type, JsonSerializerContext)
JsonSerializer.Deserialize<TValue>(Stream, JsonSerializerOptions)
JsonSerializer.Deserialize<TValue>(Stream, JsonTypeInfo<TValue>)
JsonSerializer.Serialize(Stream, Object, Type, JsonSerializerOptions)
JsonSerializer.Serialize(Stream, Object, Type, JsonSerializerContext)
JsonSerializer.Serialize<TValue>(Stream, TValue, JsonSerializerOptions)
JsonSerializer.Serialize<TValue>(Stream, TValue, JsonTypeInfo<TValue>)
New option to ignore an object when a reference cycle is detected during serialization:
ReferenceHandler.IgnoreCycles:
For more information, see Ignore circular references.
For more information about serializing and deserializing with System.Text.Json, see JSON serialization and deserialization in .NET.
HTTP/3:
.NET 6 includes preview support for HTTP/3, a new version of HTTP. HTTP/3 solves some existing functional and performance challenges by using a new underlying connection protocol called QUIC. QUIC establishes connections more quickly, and connections are independent of the IP address, allowing mobile clients to roam between Wi-fi and cellular networks. For more information, see Use HTTP/3 with HttpClient.
ASP.NET Core:
ASP.NET Core includes improvements in minimal APIs, ahead-of-time (AOT) compilation for Blazor WebAssembly apps, and single-page apps. In addition, Blazor?components can now be rendered from JavaScript and integrated with existing JavaScript based apps.
OpenTelemetry:
.NET 6 brings improved support for OpenTelemetry, which is a collection of tools, APIs, and SDKs that help you analyze your software's performance and behavior. APIs in the System.Diagnostics.Metrics namespace implement the OpenTelemetry Metrics API specification. For example, there are four instrument classes to support different metrics scenarios. The instrument classes are:
Counter<T>
Histogram<T>
ObservableCounter<T>
ObservableGauge<T>
Security:
.NET 6 adds preview support for two key security mitigations: Control-flow Enforcement Technology (CET) and "write exclusive execute" (W^X).
CET is an Intel technology available in some newer Intel and AMD processors. It adds capabilities to the hardware that protect against some control-flow hijacking attacks. .NET 6 provides support for CET for Windows x64 apps, and you must explicitly enable it. For more information, see .NET 6 compatibility with Intel CET shadow stacks.
W^X is available all operating systems with .NET 6 but only enabled by default on Apple Silicon. W^X blocks the simplest attack path by disallowing memory pages to be writeable and executable at the same time.
IL trimming:
Trimming of self-contained deployments is improved. In .NET 5, only unused assemblies were trimmed. .NET 6 adds trimming of unused types and members too. In addition, trim warnings, which alert you to places where trimming may remove code that's used at run time, are now enabled by default. For more information, see Trim self-contained deployments and executables.
Code analysis:
The .NET 6 SDK includes a handful of new code analyzers that concern API compatibility, platform compatibility, trimming safety, use of span in string concatenation and splitting, faster string APIs, and faster collection APIs. For a full list of new (and removed) analyzers, see Analyzer releases - .NET 6.
Custom platform guards:
The Platform compatibility analyzer recognizes the Is<Platform> methods in the OperatingSystem class, for example, OperatingSystem.IsWindows(), as platform guards. To allow for custom platform guards, .NET 6 introduces two new attributes that you can use to annotate fields, properties, or methods with a supported or unsupported platform name:
SupportedOSPlatformGuardAttribute
UnsupportedOSPlatformGuardAttribute
Windows Forms
Application.SetDefaultFont(Font) is a new method in .NET 6 that sets the default font across your application.
The templates for C# Windows Forms apps have been updated to support global using directives, file-scoped namespaces, and nullable reference types. In addition, they include application bootstrap code, which reduces boilerplate code and allows the Windows Forms designer to render the design surface in the preferred font. The bootstrap code is a call to ApplicationConfiguration.Initialize(), which is a source-generated method that emits calls to other configuration methods, such as Application.EnableVisualStyles(). Additionally, if you set a non-default font via the ApplicationDefaultFont MSBuild property, ApplicationConfiguration.Initialize() emits a call to SetDefaultFont(Font).
For more information, see the What's new in Windows Forms blog post.
Source build:
The source tarball, which contains all the source for the .NET SDK, is now a product of the .NET SDK build. Other organizations, such as Red Hat, can build their own version of the SDK using this source tarball.
Target framework monikers:
Additional OS-specific target framework monikers (TFMs) have been added for .NET 6, for example, net6.0-android, net6.0-ios, and net6.0-macos. For more information, see .NET 5+ OS-specific TFMs.
Generic math:
In preview is the ability to use operators on generic types in .NET 6. .NET 6 introduces numerous interfaces that make use of C# 10's new preview feature, static abstract interface members. These interfaces correspond to different operators, for example, IAdditionOperators represents the + operator. The interfaces are available in the System.Runtime.Experimental NuGet package. For more information, see the Generic math blog post.
NuGet package validation:
If you're a NuGet library developer, new package-validation tooling enables you to validate that your packages are consistent and well-formed. You can determine if:
There are any breaking changes across package versions.
The package has the same set of publics APIs for all runtime-specific implementations.
There are any gaps for target-framework or runtime applicability.
For more information, see the Package Validation blog post.
Reflection APIs:
.NET 6 introduces the following new APIs that inspect code and provide nullability information:
System.Reflection.NullabilityInfo
System.Reflection.NullabilityInfoContext
System.Reflection.NullabilityState
These APIs are useful for reflection-based tools and serializers.
Microsoft.Extensions APIs:
Several extensions namespaces have improvements in .NET 6
New LINQ APIs:
Numerous LINQ methods have been added in .NET 6. Most of the new methods listed in the following table have equivalent methods in the System.Linq.Queryable type.
Date, time, and time zone improvements:
The following two structs were added in .NET 6: System.DateOnly and System.TimeOnly. These represent the date part and the time part of a DateTime, respectively. DateOnly is useful for birthdays and anniversaries, and TimeOnly is useful for daily alarms and weekly business hours.
You can now use either Internet Assigned Numbers Authority (IANA) or Windows time zone IDs on any operating system that has time zone data installed. The TimeZoneInfo.FindSystemTimeZoneById(String) method has been updated to automatically convert its input from a Windows time zone to an IANA time zone (or vice versa) if the requested time zone is not found on the system. In addition, the new methods TryConvertIanaIdToWindowsId(String, String) and TryConvertWindowsIdToIanaId have been added for scenarios when you still need to manually convert from one time zone format to another.
There are a few other time zone improvements as well. For more information, see Date, Time, and Time Zone Enhancements in .NET 6.
PriorityQueue class:
The new PriorityQueue<TElement,TPriority> class represents a collection of items that have both a value and a priority. Items are dequeued in increasing priority order—that is, the item with the lowest priority value is dequeued first. This class implements a min heap data structure.

New in Microsoft .NET Core (.NET Framework) 5.0.10 Runtime (Sep 15, 2021)

New in Microsoft .NET Core (.NET Framework) 5.0.8 Runtime (Jul 14, 2021)

New in Microsoft .NET Core (.NET Framework) 5.0.7 Runtime / 3.1.16 Runtime LTS (Jun 9, 2021)

New in Microsoft .NET Core (.NET Framework) 3.1.15 Runtime LTS (May 12, 2021)

New in Microsoft .NET Core (.NET Framework) 5.0.5 Runtime (Apr 9, 2021)

New in Microsoft .NET Core (.NET Framework) 3.1.12 Runtime LTS (Feb 10, 2021)

New in Microsoft .NET Core (.NET Framework) 5.0.3 Runtime (Feb 10, 2021)

New in Microsoft .NET Core (.NET Framework) 3.1.2 Runtime (Feb 18, 2020)

New in Microsoft .NET Core (.NET Framework) 3.1.1 Runtime (Jan 16, 2020)

Changes in 3.1.1:
CVE-2020-0602: ASP.NET Core Denial of Service Vulnerability"
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a denial of service vulnerability exists when ASP.NET Core improperly handles web requests. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.
The update addresses the vulnerability by correcting how the ASP.NET Core web application handles web requests.
CVE-2020-0603: ASP.NET Core Remote Code Execution Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in ASP.NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a remote code execution vulnerability exists in ASP.NET Core software when the software fails to handle objects in memory. An attacker who successfully exploited this vulnerability could cause a denial of service against an ASP.NET Core web application. The vulnerability can be exploited remotely, without authentication.
A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to the ASP.NET Core application.
The update addresses the vulnerability by correcting how the ASP.NET Core web application handles in memory.
CVE-2020-0605: .NET Core Remote Code Execution Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.
Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Core. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
The security update addresses the vulnerability by correcting how .NET Core checks the source markup of a file.
CVE-2020-0606: .NET Core Remote Code Execution Vulnerability:
Microsoft is releasing this security advisory to provide information about a vulnerability in .NET Core. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.
Microsoft is aware of a remote code execution vulnerability exists in .NET software when the software fails to check the source markup of a file. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user.
Exploitation of the vulnerability requires that a user open a specially crafted file with an affected version of .NET Core. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file.
The security update addresses the vulnerability by correcting how .NET Core checks the source markup of a file.

New in Microsoft .NET Core (.NET Framework) 3.0.1 Runtime (Dec 3, 2019)

New in Microsoft .NET Core (.NET Framework) 3.0.0 Runtime Preview 7 / 3.0.100 SDK Preview 7 (Jul 23, 2019)

New in Microsoft .NET Core (.NET Framework) 2.2.6 Runtime (Jul 9, 2019)

New in Microsoft .NET Core (.NET Framework) 3.0.0 Runtime Preview 5 (May 15, 2019)

New in Microsoft .NET Core (.NET Framework) 3.0.0 Runtime Preview 4 (Apr 19, 2019)

New in Microsoft .NET Core (.NET Framework) 2.2.3 Runtime (Mar 12, 2019)

New in Microsoft .NET Core (.NET Framework) 3.0.0 Runtime Preview 3 (Mar 8, 2019)

New in Microsoft .NET Core (.NET Framework) 3.0.0 Runtime Preview 2 / 3.0.100 SDK Preview 2 (Jan 29, 2019)

New in Microsoft .NET Core (.NET Framework) 2.2.0 Runtime Preview 3 (Oct 31, 2018)

New in Microsoft .NET Core (.NET Framework) 2.2.0 Runtime Preview 1 / 2.2.100 SDK Preview 1 (Aug 23, 2018)

New in Microsoft .NET Core (.NET Framework) 2.1.3 Runtime (Aug 22, 2018)

CoreCLR:
[c1c7291] Skip old time zones adjustments with offsets higher than 14h (#18305) (#18874)
[0a04fd0] Port the fix for Issue 17969 to Rel/2.1
[aa00dad] JIT: Fix bug in finally cloning caused by unsound callfinally reordering
[373b10e] Fix SpanHelpers.ClearWithoutReferences alignment detection (#18222)
[2b283f3] Optimize Array.Clear using SpanHelpers (#18101)
[1cebf4d] Allow ILCodeVersion to fallback to default IL (#18502)(#18602)(#18448)
[5b4773e] AssemblyName parsing with unicode/emoji crashes (#18309)
[d644d8a] Fix handling of generating relative path to parent (#18460)
[1352638] mach_absolute_time as the primary clock source on macOS (corefx#30391) (#18505) (#18526)
CoreFX:
[6c6b536] Update runtime IDs for new RHEL/OL/Fedora releases
[754664c] Default generateversionsource to true (#31197)
[8f34b49] Fix handle double-free in recently added WindowsIdentity test (#30731) (#30977)
[ffa1879] Add Tizen 5.0 RID for NETCoreApp (#30888)
[87b79bd] Fix compilation for deprecated API on macOS Mojave preview (#30716) (#30744)
[8f71a67] Add missing RIDs for Tizen (#30640)
[28506b2] fix dereferencing uninitialized byte array in case recv() fails (#30312) (#30676)
[59b1d9a] Port 'Delay console CPR timer once protocol has worked' to 2.1 (#30789)
[a844c92] Port 'Delay console CPR timer once protocol has worked' to 2.1 (#30759)
[fd29f78] Make directory enumeration consistent (#29908) (#30002)
[dbf45ed] [release/2.1] Port Microsoft.Windows.Compatibility.Shims fix (#30522)
[f4457ef] Fix SignedCms handling of negative certificate serial numbers. (#30381)
[be49d38] Fix WinHttpHandler when using authenticating proxies (#30212)
[09be1e9] Fix SocketsHttpHandler for Windows auth proxy CONNECT tunneling (#30478) (#30516)
[6fb3c06] Fix Expect: 100-continue handling when no request content (#30102) (#30112)
[d1dafb3] Make the Linux TLS hostname comparison be case-insensitive (#30553)
[ee567f3] Clarify output size handling (#30534)
[4e6ec97] Ensure X509Chain can succeed when the end cert has an empty subject (#30427)
[6ac8b2a] [release/2.1] Duplicate the access token passed to WindowsIdentity.RunImpersonated (#30346) (#30379)
[cf7e0a0] Fix creating subdirectories under directories with trailing separators (#30293)
[5ae4912] Skip certificates we can't read when populating machine store. (#29973) (#30155)
[1e02c55] Fix BrotliStream decoding buffer handling (#30058) (#30066)
[97c6116] Ensure SocketsHttpHandler sends known verbs uppercased (#30149) (#30370)
[8258357] mach_absolute_time as the primary clock source on macOS (#30459)
[c6f4eb6] Fix WebSocket server split header parsing with large payload (#30402) (#30407)
[501d570] Ensure we restore System.Reflection.TypeExtensions/4.4.0
[f37cdb7] Version System.Reflection.TypeExtensions package and build it
[1f5beec] SignedCms: Improve NetFx compat for SignedCms wrapping EnvelopedCms
[767d4aa] Fix EnvelopedCms incompatibilities between Unix and Windows
[3700c5b] Update to a xUnit Performance Api that has a bigger Etw buffer size. … (#30328)
[6b38470] Use _SC_NPROCESSORS_CONF instead of _SC_NPROCESSORS_ONLN in Unix_ProcessorCountTest on ARM/ARM64 (#30132)
ASP.NET Core:
aspnet/Caching#396 Update StackExchange.Redis.StrongName
aspnet/EntityFrameworkCore#12107 Migrations: multiple references to the same owned type carries into subsequent migrations
aspnet/EntityFrameworkCore#12180 Invalid column name: orderby uses a column alias that does not exist
aspnet/EntityFrameworkCore#12203 2.1.0 can't do Value Conversions on complex IEnumerable types like JObject (newtonsoft)
aspnet/EntityFrameworkCore#12214 In-Memory concurrency check is not doing a sequence check when using a byte array type
aspnet/EntityFrameworkCore#12227 InvalidOperationException while adding or retrieving object graph
aspnet/EntityFrameworkCore#12280 Projection query throws InvalidCastException trying to convert Int32 to Boolean
aspnet/EntityFrameworkCore#12290 Value Conversion of custom struct type throws exception if it doesn't implement == and = operators
aspnet/EntityFrameworkCore#12314 SumAsync throw Exception when used over float?
aspnet/EntityFrameworkCore#12351 Incorrect SQL generated for Count over Group By
aspnet/EntityFrameworkCore#12412 Null checking in anonymous projection throws InvalidOperationException
aspnet/EntityFrameworkCore#12557 InvalidCastException when casting to/from enum in query
aspnet/Home#3286 the ASP.NET Core runtime installer does not delete files on uninstall
aspnet/Identity#1866 ActivePage declarations missing on scaffolded Identity UI
aspnet/KestrelHttpServer#2636 Consistently handle connection aborts
aspnet/KestrelHttpServer#2638 MemoryPoolBlock.Dispose can throw and ODE during server shutdown leading to an error log from the Socket Transport
aspnet/Mvc#7875 ProducesResponseType doesn't infer the type from ActionResult
aspnet/Mvc#7959 Conventional routing with custom templates not working when you have area attributes
aspnet/Mvc#7968 Validation occurs against declared type rather than real type
aspnet/Mvc#7969 Razor runtime compilation produces errors if running on a shared runtime that's rolled forward
aspnet/Mvc#7970 BindingSource for IEnumerable ApiController parameters on is incorrectly inferred as FromBody
aspnet/Razor#2384 Copy-pasting an item in a Razor Class Library project adds junk to the project file
aspnet/Razor#2406 -Having whitespace in username makes Razor builds slower
aspnet/Razor#2407 Razor compilation gives error CS2017: Cannot specify /main if building a module or library
aspnet/Security#1788 Role/claim changes in identity aren't persisted into the auth cookie
aspnet/Security#1809 SaveTokens + GetTokenAsync does not work for JwtBearer
aspnet/SignalR#2561 Update AddSignalRCore to respect user registered services
aspnet/Templating#565 ResponseCache attribute on RazorPages Error handler method should be moved to model
dotnet/core#1655 Hosting Bundle installer removes RC version of 2.1.0, breaking all RC apps

New in Microsoft .NET Core (.NET Framework) 2.1400 SDK (Aug 16, 2018)

New in Microsoft .NET Core (.NET Framework) 2.1.1 Runtime / 2.1.301 SDK (Jun 22, 2018)

New in Microsoft .NET Core (.NET Framework) 2.1.0 Runtime / 2.1.300 SDK (May 31, 2018)

New in Microsoft .NET Core (.NET Framework) 2.1.200 SDK (May 9, 2018)

New in Microsoft .NET Core (.NET Framework) 2.1.0 Preview 2 Runtime / 2.1.300 Preview 2 SDK (Apr 11, 2018)

New in Microsoft .NET Core (.NET Framework) 2.1.0 Preview 1 Runtime (Feb 28, 2018)

Notable Additions in Preview 1
System.IO - Path APIs no longer check invalid characters directly.
To improve performance and unblock cross platform scenarios System.IO.Path methods no longer check for validity of characters outside of the null character. Most System.IO APIs that take a path are impacted by this. Attempting to use a path that the OS/file system doesn't handle will return the system reported IOException when actually using the path as opposed to an ArgumentException before passing the path to the OS.
System.IO - Directory enumeration performance improvements
Performance of enumerating directories on Windows has been significantly improved, particularly with recursive searches.
System.IO.Compression - New Brotli Compression APIs
Add API to compress and decompress using the Brotli algorithm, a generic-purpose lossless compression algorithm used primarily by web browsers and servers. Operations may be completed using either the stream-based BrotliStream or the high-performance span-based BrotliEncoder/BrotliDecoder classes.
System.Security - New SignedCms APIs
System.Security.Cryptography.Pkcs.SignedCms is now available in the System.Security.Cryptography.Pkcs package. The .NET Core implementation is available to all .NET Core platforms and has parity with the class from .NET Framework.
System.Security - New X509Certificate.GetCertHash overload for SHA-2
New overloads for X509Certificate.GetCertHash and X509Certificate.GetCertHashString accept a hash algorithm identifier to enable callers to get certificate thumbprint values using algorithms other than SHA-1.
System.Security - New Span-based cryptography APIs
Span-based API is available for hashing, HMAC, (cryptographic) random number generation, asymmetric signature generation, asymmetric signature processing, and RSA encryption.
System.Security - Rfc2898DeriveBytes performance improvements
By switching to Span-based computations the computations of Rfc2898DeriveBytes (PBKDF2) have sped up about 15% compared to prior releases. Users who have benchmarked an iteration count for an amount of server time can now increase their iteration count accordingly.
System.Memory - New APIs for efficient low-allocation access to memory
The component contains primitives and libraries that can be used to optimize memory usage. The primitives, Span, ReadOnlySpan, Memory, and ReadOnlyMemory are types for efficient representation of managed, stack, and native memory segments. ReadOnlySequence represents a sequence of such segments. The rest of the component are reusable APIs operating on these primitives. For example, the Utf8Parser class can be used to parse UTF-8 encoded text stored in a memory segment. Similarly, Utf8Formatter can be used to format UTF-8 text into a memory segment. It also contains BinaryPrimitive APIs which let you read and write blittable types into and from Span with support for endianness.
Global Tools
Global tools let you install a tool from a NuGet feed into your local path. This makes in available in a similar manner to npm -g.
dotnet --list-sdks
dotnet --list-sdks provides a list of .NET Core SDKs installed on the machine
Many .NET Core SDKs may be installed on a given machine. The new --list-sdks switch lists installed SDKs along with the base path where they are installed. This new switch is present in the .NET Core host, which has a single copy on the machine. Thus, this switch works once the preview is installed, regardless of global.json or if the preview is uninstalled.
dotnet --list-runtimes
dotnet --list-runtimes provides a list of .NET Core Runtimes installed on the machine
Many .NET Core Runtimes may be installed on a given machine. The new --list-runtimes switch lists installed runtimes along with the base path where they are installed. This new switch is present in the .NET Core host, which has a single copy on the machine. Thus, this switch works once the preview is installed, regardless of global.json or if the preview is uninstalled.

New in Microsoft .NET Core (.NET Framework) 2.0.5 Runtime (Jan 10, 2018)

New in Microsoft .NET Core (.NET Framework) 2.0.3 Runtime / 2.0.3 SDK (Nov 15, 2017)

Security:
CVE-2017-8585 — Malformed Certificate can cause Denial of Service
Microsoft is releasing this security advisory to provide information about a vulnerability in the public versions of .NET Core 1.0 and 1.1, and 2.0. This advisory also provides guidance on what developers can do to update their applications correctly.
Microsoft is aware of a security vulnerability in the public version of .NET Core where a malformed certificate or other ASN.1 formatted data could lead to a denial of service via an infinite loop on Linux and macOS.
System administrators are advised to update their .NET Core runtimes to versions 1.0.8, 1.1.5 and 2.0.1. Developers are advised to update their .NET Core SDK to version 2.0.3 or 1.1.5.
Quality:
.NET Core 2.0.3:
CLI:
[8a60d17] Update F# compiler to match VS
[6ef8af7] update fsharp compiler for preview release
[4a2d3fa] Fix up roslyn satellite assembly handling to match new insertion mechanism
[6ccff28] Update F# compiler
[fb67e25] MSBuild 15.5.110
CoreCLR:
[2a5b736] Workaround GetSystemTimePreciseAsFileTime inaccuracies (#14283) (#14319)
[ccfa884] Change base of literals in k-nucleotide-9
[6f1b778] Port to 2.0.0 - Fix ARM32 secure delegate bug
[1504504] Add SkipCreateWindowsPdbsFromPortablePdbs=true (#13925)
[76accdf] Merge pull request #13845 from ViktorHofer/DBNull-Serialization
[8f5f8dc] Change FinalizerThreadCreate location to after profiler is initialized (#13663)
[c9af4b3] Complete and fix cgroup cpu and memory limiting
[0108cb0] Delete superfluous check in funceval.cpp
[01cd728] Remove EOL openSuSE 42.1 (#13692)
[a308bfc] Remove FreeBSD 10.1 (#13636)
[0caee95] Don't multiply YieldProcessor count by proc count (#13556)
[0ee7d4a] Parameterize RIDs for package restore
[3512bb3] Restore missing native *.ni.pdb file from the Microsoft.NETCore.Runtime.CoreCLR (#12677)
[b6abc16] Fixed issue #13282: dbgshim fails with E_ACCESSDENIED on Windows.
[b2c377b] JIT: Fix value type box optimization
[0803236] Don't map P-DEP SIMD12 local vars to SIMD16 on x64
[d99bf2d] Removed the legacy JIT32 assert regarding 4-byte alignment inArenaAllocator::allocateMemory Immediately after this assert we roundUp to an pointer size allocation amount.
[86d8a0c] Port "git clone" fixes to release 2.0.0 (#13467)
[207515e] Don't call AssemblyResolve event for CoreLib resources (#12999) (#13003)
[94d4aa4] don't use r2r images when the profiler requests that ngen images are disabled (#13349)
[4c1bc91] Fix non-portable parameters in build-packages.sh script
[3b9ce14] Add RH6 rid detections to build-packages.sh script
[e7e64c8] Remove setting of LD_LIBRARY_PATH because we want to set it in docker image
[384f815] Correct the values of "Rid" and "TestContainerSuffix" of newly added entries.
[c5e25ee] Add JitMinOpts throughput jobs
[214d82d] Support COMPlus_JITMinOpts for crossgen
[860e13d] Port of https://github.com/dotnet/coreclr/pull/13034 to release 2.0.0 -- Remove Ubuntu 16.10 as it's EOL (#13041)
CoreFX:
[fedf648] Fix ECDsa ExportParameters segfault
[90b1641] Fixed races in EventCounters. Preped to add Dispose() method
[653cb2f] Load the assembly from the same location as the type assembly (#22558) (#24128)
[5105363] Add copyright header from Mono
[b48403d] Fix return value of partially successful Socket.Send (#24005)
[f78432f] release/2.0.0 - Make DBNull serializable and adding tests (#23961)
[e297c0e] Address build error due to updates since 2.0
[939e4a6] Only truncate to IOV_MAX for stream sockets (#23826)
[fc29a3f] Porting #23591 to release 2.0 branch.
[6d38f59] Fix LargeArrayBuilder.CopyTo returning incorrect end-of-copy position (#23865)
[fd5a525] WebRequest.DefaultWebProxy: Set doesn't work without a previous Get (#22798)
[741cd3c] backport of REGEX_DEFAULT_MATCH_TIMEOUT (#23666)
[bbfdddf] Truncate sendmsg/recvmsg to IOV_MAX (#23781)
[ec98bfd] Fix handling of last number in IPv6 address
[7868e54] Add IPAddress parsing cases for components being too long
[daae3e5] Fix output buffer assumptions in CSP symmetric transforms.
[6febde9] Handle EAGAIN in Console.Write (#23539)
[fbdc453] Remove reference assemblies from NetFx netstandard support package
[fe0e443] Remove EOL openSuSE 42.1 (#23683)
[4df5884] Eliminate OpenSuSE 13.2 (EOL) (#23623)
[9108063] Fix bug in MS.CSharp handling non-generic classes nested in generic (#22117)
[d76ab29] Make 4.4.1 SqlClient harvest the 4.3.1 SqlClient package for its netstandard1.3 bits, since 4.3.0 SqlClient has a connection leak. (#23412)
[725fc01] Migrate corefx release/2.0.0 branch to git clone from VSO instead of unstable github (#23410)
[8d7ff69] Removed SNIMarsManager, and modified TdsParserStateObjectManaged so that it manages its own SNIMarsConnection if MARS is enabled. This prevents SNIMarsConnections from accumulating forever in a static SNIMarsManager singleton. (#22709) (#23357)
[204cdd7] Enable RHEL6 in release/2.0.0 (#23084)
[e1c7278] Remove Ubuntu 16.10 from test execution: OS was EOL'ed on 7/19/2017
.NET Core 1.0.8:
CoreCLR:
[54f1cf6] Port to 1.0.0 - Fix passing struct with four floats in registers via reflection (#14392)
[0ddcf7e] Fix resource lookup recursion issue (#13948)
[254df57] Remove FreeBSD 10.1/OpenSuSE 13.2 and Fedora 23 (#13634)
CoreFX:
[686812c] rel/1.0.0: Fix ECDsa ExportParameters segfault (#24458)
[88f43c3] Remove EOL'd OS's openSuSE 13.2 and Fedora 23 have been EOL'd and are no longer usable/upgradeable in CI. (#23621)
[ec5640f] Fix handling of flock in FileStream on Unix (#23235)
[e13c1b0] Packaging updates to service X509Certificates
[47d95a6] Simplify X509Chain building with OpenSSL
[a077f83] add apfs introduced by OSX 10.13
[3af071c] Prevent crash when Openssl's PKCS12_parse function fails.

New in Microsoft .NET Core (.NET Framework) 1.1.4 (Sep 23, 2017)

New in Microsoft .NET Core (.NET Framework) 1.0.7 (Sep 23, 2017)

New in Microsoft .NET Core (.NET Framework) 2.0.0 (Aug 15, 2017)

New in Microsoft .NET Core (.NET Framework) 2.0.0 Preview 2 (Jun 28, 2017)

New in Microsoft .NET Core (.NET Framework) 2.0.0 Preview 1 (May 10, 2017)

New in Microsoft .NET Core (.NET Framework) 1.1.2 (May 10, 2017)

New in Microsoft .NET Core (.NET Framework) 1.0.0-Preview 2 SDK / 1.0.0 Runtime (Jun 29, 2016)

We've added a number of distros to our support list. Below is the complete set for 1.0.0:
Windows 7+ / Server 2012 R2+
Production-quality .NET Core Runtime and Framework libraries:
Reliability improvements
R2R Performance improvements for Generics
Portable PDB support in Exception.ToString() and System.Diagnostics.StackTrace
New SOS commands "!CLRStack -r"
Limited managed profiling support on Windows
BCL (Below is a summary of API changes made since RC2):
New .NET Core APIs
System.ComponentModel.TypeConverter - TypeDescriptor support
System.Data.Common - DBEnumerator
System.Diagnostics.Tracing - EventCounter
System.IO.FileSystem.Watcher - FileSystemWatcher.WaitForChanged
System.Net.Http - new properties on HttpClientHandler
System.Net.Sockets - add back Tcp|UdpClient.Client property
System.Reflection.Metadata - MetadataReaderProvider
Many types have been removed from the 1.3 surface area and moved to 1.4 which remains in pre-release. If you depend on these types update to the 1.4.0 pre-release package.
System.Resources.ReaderWriter - types are now in separate assemblies System.Resources.Reader and System.Resources.Writer
System.Runtime.CompilerServices.Unsafe - New static helper methods for dealing with unsafe pointers
System.Security.Cryptography
ECDsa supports creating keys for arbitrary named and explicit curves (Windows 10, OS X, Linux)
ECDsa supports importing and exporting keys via the platform-independent ECParameters type
EnvelopedCms is now supported via the System.Security.Cryptography.Pkcs package
System.Security.SecureString
System.Text.RegularExpressions - precompiled regex
CLI:
Offline support: now you don't have to be connected to the internet to write applications that target only the .NET Core runtime and libraries. This means the core libraries are cached locally after running various dotnet commands the first time. Restoring packages which are not part of the Shared Framework do generally require an internet connection to gather the packages from NuGet.
New Templates: web, lib and xunittest