Microsoft Releases Emergency .NET 10.0.7 Update to Address Critical Security Flaw
On April 21, 2026, Microsoft issued an urgent out-of-band (OOB) security update for .NET 10, releasing version 10.0.7 to rectify a critical elevation of privilege vulnerability identified in the `Microsoft.AspNetCore.DataProtection` NuGet package.
Background and Discovery
The need for this emergency update arose after developers reported decryption failures in their ASP.NET Core applications following the standard Patch Tuesday .NET 10.0.6 update. These issues were publicly documented in ASP.NET Core issue #66335, where affected developers highlighted widespread decryption regressions. During the investigation of these reports, Microsoft engineers uncovered a more severe problem: a security regression that introduced an exploitable vulnerability across all versions of the package from 10.0.0 through 10.0.6.
Details of the Vulnerability
The flaw, designated as CVE-2026-40372, resides in the managed authenticated encryptor within the `Microsoft.AspNetCore.DataProtection` package. In the affected versions, the encryptor could compute its HMAC (Hash-based Message Authentication Code) validation tag over incorrect bytes of the payload and subsequently discard the computed hash. This cryptographic mishandling could allow an attacker to manipulate protected data in ways that bypass integrity validation, resulting in elevation of privilege. Essentially, this bug undermines a core security guarantee of ASP.NET Core’s Data Protection stack—a framework widely relied upon for encrypting cookies, tokens, and sensitive application state.
Impact on Applications
Any application utilizing the `Microsoft.AspNetCore.DataProtection` package on .NET versions 10.0.0 through 10.0.6 is affected by this vulnerability. Given that ASP.NET Core Data Protection is a foundational component used for cookie authentication, anti-forgery tokens, and TempData encryption, the potential attack surface is significant. Applications handling user sessions or protected payloads without upgrading are at risk of privilege escalation attacks.
Recommended Actions
Microsoft strongly urges all developers and organizations running affected versions to update the `Microsoft.AspNetCore.DataProtection` package to version 10.0.7 immediately. The updated SDK and runtime are available for download at the official .NET 10.0 download page. After installation, administrators should:
– Run `dotnet –info` to confirm the runtime version reflects 10.0.7.
– Rebuild and redeploy all applications using updated NuGet packages or container images.
– Review Linux package installation guidance for server deployments.
Container images have also been updated and are available via the Microsoft Container Registry. Known issues for the 10.0 release train are documented in the official .NET Core GitHub repository.
Context and Precedent
This emergency patch follows a pattern of Microsoft accelerating security fixes outside its regular Patch Tuesday cycle when critical regressions are discovered. The April 2026 Patch Tuesday itself addressed several privilege escalation flaws across Microsoft’s product portfolio, underscoring an active threat landscape for Windows and .NET ecosystems. Developers are advised to enable automatic NuGet package update notifications to catch future OOB releases promptly.
Conclusion
The swift identification and remediation of this vulnerability highlight the importance of proactive security measures and prompt response to emerging threats. Organizations and developers must prioritize applying this update to safeguard their applications and maintain the integrity of their data protection mechanisms.
