.NET May 2022 Updates – .NET 6.0.5, .NET 5.0.17 and, .NET Core 3.1.25

Dominique Whittaker

Today, we are releasing the .NET May 2022 Updates. These updates contain security and non-security improvements. See the individual release notes for details on updated packages.

You can download 6.0.5, 5.0.17 and, 3.1.25 versions for Windows, macOS, and Linux, for x86, x64, Arm32, and Arm64.

.NET 5.0 Out Of Support Starting May 10, 2022

May 2022 is the last update for .NET 5.0 and Microsoft will no longer provide servicing updates, including security fixes or technical support. Please update the version of .NET you are using to a supported version (.NET 6.0) in order to continue to receive updates.

Improvements

Security

CVE 2022-29117: .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET core 3.1 where a malicious client can manipulate cookies and cause a Denial of Service.

CVE 2022-23267: .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET Core 3.1 where a malicious client can cause a Denial of Service via excess memory allocations through HttpClient.

CVE 2022-29145: .NET Denial of Service Vulnerability

Microsoft is releasing this security advisory to provide information about a vulnerability in .NET 6.0, .NET 5.0 and .NET Core 3.1. This advisory also provides guidance on what developers can do to update their applications to remove this vulnerability.

A vulnerability exists in .NET 6.0, .NET 5.0 and .NET Core 3.1 where a malicious client can can cause a denial of service when HTML forms are parsed.

Visual Studio

See release notes for Visual Studio compatibility for .NET 6.0, .NET 5.0 and, .NET Core 3.1.

OS Lifecycle Update

Ubuntu 22.04 is now supported with the .NET 6.0.5, .NET 5.0.17, .NET Core 3.1.25 update. The operating system support pages for .NET 6.0, .NET 5.0, and .NET Core 3.1 have been updated to reflect that.

We are also aware of an Open SSL error on Arm32 architecture and are actively working to address. This issue is being tracked here.