Visual Studio 2026 release notes:
Released on July 14, 2026.
Top bug fixes | From the community |
|---|---|
| Updated MinGit to version 2.54.0.2 | |
| C++ IntelliSense in v145 flags unresolved includes and false syntax errors | Feedback ticket |
Security advisories addressed | CVE | Description |
|---|---|---|
| .NET Elevation of Privilege Vulnerability | CVE-2026-47300 | An elevation of privilege vulnerability exists in the ASP.NET Core Negotiate authentication handler where the LdapAdapter does not properly validate LDAP queries, allowing an authenticated attacker to bypass authorization checks. |
| .NET Elevation of Privilege Vulnerability | CVE-2026-47303 | An elevation of privilege vulnerability exists in the ASP.NET Core Negotiate authentication handler where the LdapAdapter confuses CN and sAMAccountName identifiers, allowing an authenticated attacker to impersonate another user. |
| .NET Denial of Service Vulnerability | CVE-2026-47302 | A denial of service vulnerability exists in .NET XML processing where EncryptedXml handling and duplicate-attribute parsing in XmlTextReader cause uncontrolled resource consumption. |
| .NET Security Feature Bypass Vulnerability | CVE-2026-47304 | A security feature bypass vulnerability exists in the .NET XML encryption implementation (System.Security.Cryptography.Xml), allowing an attacker to forge XML signatures via an empty HMAC and bypass signature protections. |
| .NET Denial of Service Vulnerability | CVE-2026-50524 | A denial of service vulnerability exists in .NET where malformed TLS packets during the System.Net.Security SslStream handshake cause the application to crash or become unresponsive. |
| .NET Security Feature Bypass Vulnerability | CVE-2026-50528 | A security feature bypass vulnerability exists in .NET where the System.Net.Security SslStream implementation ignores channel binding, allowing an attacker to bypass authorization checks during secure communication. |
| .NET Denial of Service Vulnerability | CVE-2026-50525 | A denial of service vulnerability exists in the .NET XML encryption implementation (System.Security.Cryptography.Xml) where a crafted XML transform chain causes uncontrolled resource consumption. |
| .NET Denial of Service Vulnerability | CVE-2026-50648 | A denial of service vulnerability exists in the .NET XML encryption implementation (System.Security.Cryptography.Xml) where crafted encrypted XML causes uncontrolled resource consumption. |
| .NET Denial of Service Vulnerability | CVE-2026-50527 | A denial of service vulnerability exists in the .NET XML encryption implementation (System.Security.Cryptography.Xml) where improperly validated input leads to a stack-based buffer overflow. |
| .NET Tampering Vulnerability | CVE-2026-50526 | A tampering vulnerability exists in the .NET SDK container image build process where a predictable, world-writable cache location allows a local attacker to inject malicious blobs into container images built by other users on the same machine. |
| .NET Denial of Service Vulnerability | CVE-2026-50651 | A denial of service vulnerability exists in .NET where an attacker can flood SocketsHttpHandler HTTP/2 connections with SETTINGS and PING ACK frames, causing an out-of-memory condition in Http2Connection. |
| .NET Spoofing Vulnerability | CVE-2026-50659 | A spoofing vulnerability exists in the .NET SMTP client (System.Net.Mail) where SMTP command smuggling via CRLF sequences split across buffers allows injection of arbitrary email commands. |
| .NET Remote Code Execution Vulnerability | CVE-2026-50646 | A remote code execution vulnerability exists in Windows Presentation Foundation (WPF) when parsing specially crafted XAML input, allowing an attacker to execute arbitrary code in the context of the current user. |
| .NET Remote Code Execution Vulnerability | CVE-2026-50649 | A remote code execution vulnerability exists in Windows Presentation Foundation (WPF) when parsing specially crafted XAML input, allowing an attacker to execute arbitrary code in the context of the current user. |
| .NET Elevation of Privilege Vulnerability | CVE-2026-50650 | An elevation of privilege vulnerability exists in Windows Presentation Foundation (WPF) when parsing specially crafted XAML input, allowing an attacker to elevate privileges on the affected system. |
| Visual Studio Remote Code Execution Vulnerability | CVE-2026-47305 | A remote code execution vulnerability exists in Visual Studio where a Mark-of-the-Web (MOTW) bypass allows a crafted .vcxproj InitialTargets or PreBuildEvent to execute project commands when a solution is opened. |
Source:
Visual Studio 2026 release notes
Learn about the latest features, bug fixes, and support for Visual Studio 2026. Download today.
learn.microsoft.com
Downloads:
Visual Studio Downloads for Windows
Download Visual Studio IDE for free. Try out Visual Studio Professional or Enterprise editions.











