.NET 10 LTS landed on November 11, 2025. If you own an ASP.NET Core, Blazor, or EF Core codebase, that single date quietly resets your 2026 risk, your 2027 budget, and the order of work for the next few sprints. It also arrives in the wake of a high‑severity Kestrel vulnerability fix, which makes an upgrade plan more than just a nice‑to‑have. Let’s turn the release into a practical, low‑risk path you can run starting today. (dotnet.microsoft.com)
Here’s the thing: long‑term support buys you time, but it also compresses decisions. With .NET 10 you get three years of fixes and security updates, through November 2028, while Standard Term Support (STS) releases now live for 24 months. That shift changes the math for teams still on .NET 8/9 and coincides with meaningful improvements across ASP.NET Core, C# 14, and EF Core 10.
What actually shipped in .NET 10 LTS?
First, the framing: .NET 10 is an LTS release—supported for three years until mid‑November 2028. Microsoft also extended STS support to 24 months, which affects how long .NET 9 remains viable in regulated environments. If you’ve been waiting for a stable, long‑run target, this is it. (dotnet.microsoft.com)
ASP.NET Core 10: security, observability, and developer ergonomics
The web stack took meaningful steps forward. The platform emphasized security, observability, and performance, including improvements to diagnostics, metrics, and pipeline behavior. Identity gets more modern authentication options, and the framework continues to evolve its real‑time and streaming story. The quality‑of‑life wins add up in templates and Minimal APIs—making the day‑to‑day experience smoother for teams that ship continuously. (devblogs.microsoft.com)
C# 14: small syntactic wins that remove friction
C# 14 isn’t about flashy new paradigms; it’s about removing paper cuts that your team trips over every week. Extension members bring extension properties and static extension members into a coherent model. The contextual field keyword enables logic in auto‑properties without hand‑rolled backing fields. You also get null‑conditional assignment, unbound generic support in nameof, more span conversions, and modifiers on simple lambda parameters. They’re boring—in the best possible way—because they make code more direct, more readable, and slightly faster to type. (learn.microsoft.com)
EF Core 10: first‑class vector support for Azure SQL/SQL Server 2025
If you’re dabbling in semantic search, EF Core 10 brings vector columns and VECTOR_DISTANCE() into the supported, documented path for Azure SQL and SQL Server 2025. That means fewer custom shims and more straightforward migrations when you unify structured and embedding‑based queries. It’s a pragmatic data‑layer step that lets product teams test hybrid search without leaving the EF patterns they know. (learn.microsoft.com)
Why .NET 10 LTS changes your 2026 plan
Two things changed at once: the release itself and the support policy around it. With STS now at 24 months, .NET 9 support overlaps with .NET 10 longer than before, and .NET 8 LTS still ends on November 10, 2026. Practically, that gives you a clear runway to move .NET 8/9 apps to .NET 10 in 2025–2026 while keeping security coverage intact. For finance and compliance teams, that clarity streams straight into OpEx planning and audit evidence. (dotnet.microsoft.com)
A 30‑day upgrade playbook your team can actually run
You don’t need a big‑bang rewrite. You need momentum, a high‑signal compatibility scan, and a tight feedback loop. Here’s a plan we’ve used with enterprise teams that need to upgrade without pausing roadmap delivery.
Week 1: Baseline and patch
• Inventory: Pull a definitive list of runtimes, SDKs, and NuGet packages from production and CI. Include container base images and self‑hosted runners. If you’ve got multiple services, capture port bindings and reverse‑proxy topologies (IIS, Nginx, YARP, Envoy).
• Patch Kestrel: If you’re on ASP.NET Core, ensure you’ve applied Microsoft’s fix for the Kestrel HTTP request‑smuggling vulnerability (CVE‑2025‑55315). For .NET 8/9, take the October patches and restart hosts; for older 2.x apps, update Microsoft.AspNetCore.Server.Kestrel.Core to 2.3.6 and redeploy. Validate your upstream proxies aren’t re‑introducing smuggled requests. Treat this as table stakes before you proceed. (github.com)
• CI sanity: Install the .NET 10 SDK on build agents side‑by‑side with existing SDKs. Lock versions in global.json. Add a canary job that restores/builds your largest API with TargetFramework=net10.0 but doesn’t publish artifacts yet.
Week 2: Net‑new build, zero‑risk execution
• Multi‑TFM builds: Enable multi‑targeting temporarily (net8.0;net10.0) so you can compare compiler warnings and API diffs without destabilizing production. Use $(TreatWarningsAsErrors) for net10.0 only.
• AOT/ReadyToRun probes: For CPU‑heavy services, publish one experimental build with Native AOT or ReadyToRun enabled. Measure startup time and memory; don’t switch it on for production yet—bank the data.
• Observability bake‑offs: Adopt the new built‑in metrics and improved diagnostics for a single service. Wire them into your existing OpenTelemetry collector and dashboards. Keep the same SLOs so you can overlay graphs from net8.0 and net10.0. (devblogs.microsoft.com)
Week 3: Feature flag and roll forward
• Minimal APIs and validation: Move one endpoint to the latest validation/OpenAPI flows in a feature branch. Prove you can generate consistent ProblemDetails responses and OpenAPI 3.1 documents. Keep the runtime upgrade and the surface‑area changes under separate flags to reduce blast radius.
• Identity and passkeys: If you use Identity, pilot passkey flows with a small internal user group. Confirm your device mix (Windows Hello, iOS, Android) works end‑to‑end behind your proxy stack. (devblogs.microsoft.com)
• EF Core 10 pilot: Take a non‑critical service and move it to EF Core 10 to test vector columns or other provider changes. Validate code‑first migrations against staging clones and rehearse rollback. (learn.microsoft.com)
Week 4: Production rollout guardrails
• Ringed deploys: Start with a small tenant or a low‑traffic region. Keep a hot rollback path to the net8.0 artifact for at least one full business cycle.
• Performance SLOs: Define “good” as a maximum percent regression per metric (p95 latency ≤+5%, CPU ≤+10%, heap ≤+10%). Automate the check in CI per PR so you catch regressions early.
• Post‑release hygiene: Decommission the old SDK images from your runners and staging hosts. Update your golden image AMIs/base containers. Document the path to .NET 10 in your system ADRs so audits don’t stall you later.
People also ask
Is .NET 8 still safe to run in 2026?
Yes—through November 10, 2026. That’s the end of support for .NET 8 LTS. Plan upgrades in 2025–2026 so you aren’t scrambling in Q4’26. (dotnet.microsoft.com)
Do I need .NET 10 to use C# 14?
Yes. C# 14 is supported with the .NET 10 SDK/runtime, and the language features documented for C# 14 assume you’re on that toolchain. (learn.microsoft.com)
Do I need EF Core 10 to use vector search on Azure SQL/SQL Server 2025?
Yes—EF Core 10 adds official vector type support and VECTOR_DISTANCE() mapping for those engines. If you’ve been hand‑rolling SQL for embeddings, this simplifies your repository layer. (learn.microsoft.com)
Risks, gotchas, and reality checks
• Security posture first: The Kestrel smuggling bug (CVE‑2025‑55315) is mitigated in current builds, but the risk profile depends on your reverse proxies and how your app handles authentication and CSRF. Patching isn’t optional; it’s foundational. (theregister.com)
• Dependency drift: Some client libraries or UI stacks will lag the .NET 10 target. Multi‑target temporarily and lock your transitive dependencies. If a vendor doesn’t commit to .NET 10 support by year‑end, start an exit evaluation.
• AOT trade‑offs: Native AOT can slash cold‑start and memory in service workers, but reflection, dynamic proxies, and some serializers may bite. Keep it per‑service, not global policy.
• Identity and passkeys: Passkeys reduce password‑related support tickets, but you’ll need device enrollment UX, recovery flows, and a clear comms plan. Pilot internally first. (devblogs.microsoft.com)
• EF migrations: Vector support is great, but embeddings change your data retention model and compliance posture. Treat vectors as PII‑adjacent if they’re derived from sensitive content.
Let’s get practical: a one‑page readiness checklist
Use this on your next stand‑up to decide if you’re truly ready to pull the lever.
• Support math: We’ve documented which services must be on .NET 10 by Q3’26 to avoid .NET 8 EoS.
• Patch status: All ASP.NET Core apps patched for CVE‑2025‑55315; proxies validated with smuggling tests. (github.com)
• Build agents: .NET 10 SDK installed; global.json pins versions; container base images updated.
• Tests: Contract and load tests run green on net10.0; observability overlays configured (same SLOs).
• Data: EF Core 10 migrations rehearsed; rollback scripts stored; vector columns (if any) reviewed with security.
• Identity: Passkey pilot completed; recovery flows documented; help‑desk runbook updated. (devblogs.microsoft.com)
• AOT: One service benchmarked with AOT/ReadyToRun; decision documented in an ADR.
Budget and ROI: where .NET 10 LTS pays off
Most teams don’t measure the “cost of staying put.” LTS reduces emergency patch windows and gives you predictable monthly updates; better diagnostics tighten MTTR; and C# 14’s small features save minutes inside every PR. If you run multi‑tenant SaaS, the move to .NET 10 is also a hiring story—engineers want to work on up‑to‑date platforms with clean language features and a clear support horizon. And if you’re eyeing semantic features, EF Core 10’s vector support is the on‑ramp you wanted without adopting a new database.
What to do next
• Run the Week‑1 patch/inventory steps today. Don’t let the Kestrel fix linger—close it now. (theregister.com)
• Pick one service for a net10.0 canary by Friday. Add the SDK, enable multi‑TFM, and learn exactly what breaks.
• Decide now if AOT is in‑bounds for 2026. If yes, nominate the right workloads and gather data this month.
• If you want a structured migration plan, our 30‑day guide here on the site covers sequencing, testing, and stakeholder comms. Start with our field‑tested playbook in The .NET 10 LTS Playbook: Ship Faster, Safer Now, then dive into the team‑level plan in .NET 10 LTS: What’s New and the 30‑Day Upgrade Plan. If you’re migrating many services, the decision economics in The Upgrade Playbook That Pays Off can help you defend the budget.
• Prefer a partner? See how we approach modernization on our services page and book a working session via contacts. We’ll review your inventory, sketch the deployment rings, and co‑write the first ADR so you leave with momentum.
Zooming out
.NET 10 LTS isn’t about novelty for novelty’s sake. It’s a stable target with better ergonomics, stronger diagnostics, and a clear three‑year support horizon. In other words, fewer meetings about risk and more shipping. If you take the 30‑day plan seriously—patch, inventory, canary, measure—you’ll be able to lift the majority of your estate without a rewrite, unlock EF Core 10 capabilities where they help, and buy back engineering capacity for the work customers actually notice.
