PVS-Studio 7.40: support for Visual Studio 2026, Qt Creator 18, .NET 10, updated C# diagnostic rules, and more

PVS-Studio 7.40 has been released. The new version brings support for Visual Studio 2026 and Qt Creator 18, adds analysis of .NET 10 projects, enhances C# diagnostic rules, and includes many other new features. See more details in the note!

PVS-Studio plugin for Visual Studio 2026

The new release introduces support for the fresh Visual Studio 2026. Now you can seamlessly keep using all the features of PVS-Studio static analyzer in the updated IDE without changing your usual workflow.

To learn more about the plugin, refer to the documentation.

PVS-Studio plugin for Qt Creator 18.x

We're glad to present PVS-Studio plugin for Qt Creator 18.x. The plugin lets you run static analysis, view warnings, and handle your code directly within your IDE.

Note. The plugin for Qt Creator 13.x has been discontinued. We aim to maintain backward compatibility by supporting the latest plugin versions for all Qt Creator versions within two years of each release.

To learn more about the plugin, refer to the documentation.

Analysis of .NET 10 projects

PVS-Studio C# analyzer is now compatible with .NET 10 projects. If you'd like to know what the major features have been introduced in a new .NET version, we'd like to invite you to read the article "What's new in .NET 10?"

Note. On Windows, the minimum .NET version for analyzing SDK-style projects remains .NET 9. On Linux, C# project analysis now requires .NET 10.

Refinements of C# diagnostic rules

The PVS-Studio team has revised and enhanced the part of the C# diagnostic rules from the first hundred.

The update covers new language constructs, enhances PVS-Studio mechanisms for detecting code issues, and introduces many other refinements.

Documentation: Unreal Build Accelerator distributed build system

Unreal Engine 5.5 brings a new tool called Horde, a platform that enables users to leverage CPU cycles on other machines to accelerate workloads.

We've updated the documentation section on working with Unreal Engine projects and included instructions for using the analyzer in the Unreal Build Accelerator distributed build system.

To learn how to use these capabilities of Unreal Engine and run project analysis using PVS-Studio on multiple machines simultaneously, please refer to the article "Distributed build of Unreal Engine projects using Horde and UBA."

Breaking changes

These changes aren't backward compatible with earlier versions of the analyzer. You may need to adjust how you use the analyzer due to these changes.

• The keys used to install PVS-Studio analyzer from .deb and .rpm repositories were updated. Reinstallation of the keys may be required, please refer to the documentation for instructions.
• The .NET 10 SDK is now required to analyze C# projects on Linux and macOS.

Full list of updates

You can find the full list of new features in PVS-Studio 7.40 here.

New diagnostic rules

C and C++:

• V2023. Absence of the 'override' specifier when overriding a virtual function may cause a mismatch of signatures.
• V2663. MISRA. The macro EOF should only be compared with the unmodified return value of any Standard Library function capable of returning EOF.
• V2664. MISRA. Use of the string handling functions from should not result in accesses beyond the bounds of the objects referenced by their pointer parameters.
• V2665. MISRA. The size argument passed to function from should have an appropriate value.
• V2666. MISRA. All declarations of an object with an explicit alignment specification should specify the same alignment.

C#:

• V3228. It is possible that an assigned variable should be used in the next condition. Consider checking for misprints.
• V3229. The 'GetHashCode' method may return different hash codes for equal objects. It uses an object reference to generate a hash for a variable. Check the implementation of the 'Equals' method.

Java:

• V5337. OWASP. Possible NoSQL injection. Potentially tainted data is used to create query.
• V5338. OWASP. Possible Zip Slip vulnerability. Potentially tainted data is used in the path to extract the file.

Articles

For those, who code in C/C++:

• Taint analysis in PVS-Studio C and C++ analyzer
• What we didn't get in C++
• Bug box explosion: perils of cross-platform development
• Code legacy: Analyzing Erlang's C and C++ modules that have been running for decades
• How to analyze C/C++ code with no build system on Windows
• Building the PVS-Studio megapolis
• Open wide: Inspecting LLVM 21 with static analysis
• Computer vision for code: What PVS-Studio saw in OpenCV

For those, who code in C#:

• What's new in .NET 10
• What's new in C# 14: overview
• .NET Digest #9
• Blockchain projects Neo and NBitcoin code vs. static analyzer. Who wins?
• Checking osu! and exploring the features of static analyzers

For those, who code in Java:

• How to copy a tree, but not exactly
• Roaming fields in search of potential vulnerabilities
• Tomb of Java antiquities
• Bugs across the world's languages. Let's check LanguageTool

Other articles:

• What is Cyber Resilience Act, and what cybersecurity requirements does it impose?
• JavaScript failed your tests
• Try not to write lines of code that do not fit on the screen

Do you want to check a project with PVS-Studio? Then start from this page.

If you would like to get news on the latest releases, subscribe to the PVS-Studio newsletter here.