“`html
Microsoft has released an urgent out-of-band (OOB) security update for .NET 10, issuing version 10.0.7 on April 21, 2026, to resolve a critical elevation of privilege flaw identified in the Microsoft.AspNetCore.DataProtection NuGet package.
The out-of-band release was triggered after users began reporting decryption failures in their ASP.NET Core applications subsequent to the standard Patch Tuesday .NET 10.0.6 update.
These concerns were documented publicly in ASP.NET Core issue #66335, where impacted developers highlighted numerous decryption regressions. During the investigation of those claims, Microsoft engineers discovered a graver issue: a security regression that created an exploitable vulnerability across all package versions from 10.0.0 through 10.0.6.
Emergency .NET 10.0.7 Update
The defect is designated as CVE-2026-40372 and exists within the managed authenticated encryptor of the Microsoft.AspNetCore.DataProtection package.
In the affected versions, the encryptor might compute its HMAC (Hash-based Message Authentication Code) validation tag over incorrect bytes of the payload and consequently discard the calculated hash.
This cryptographic mismanagement could permit an attacker to manipulate protected information in a manner that circumvents integrity validation, leading to elevation of privilege. The flaw essentially undermines a fundamental security guarantee of ASP.NET Core’s Data Protection stack, a framework extensively utilized for encrypting cookies, tokens, and sensitive application states.
The vulnerability impacts any application utilizing the Microsoft.AspNetCore.DataProtection package on .NET versions 10.0.0 through 10.0.6.
Considering that ASP.NET Core Data Protection is a crucial component for cookie authentication, anti-forgery tokens, and TempData encryption, the potential attack surface is considerable. Applications that manage user sessions or protected payloads without updating are vulnerable to privilege escalation assaults.
Microsoft strongly recommends all developers and organizations using affected versions to upgrade the Microsoft.AspNetCore.DataProtection package to version 10.0.7 without delay.
The updated SDK and runtime can be acquired from the official .NET 10.0 download page. After installation, administrators should:
- Execute
dotnet --infoto verify that the runtime version shows 10.0.7. - Rebuild and redeploy all applications utilizing updated NuGet packages or container images.
- Consult Linux package installation instructions for server deployments.
Container images have likewise been refreshed and are accessible through the Microsoft Container Registry. Known issues for the 10.0 release series are chronicled in the official .NET Core GitHub repository.
This urgent patch follows a trend of Microsoft expediting security remedies outside of its routine Patch Tuesday schedule when critical regressions are identified.
The April 2026 Patch Tuesday itself addressed multiple privilege escalation defects across Microsoft’s product lineup, highlighting an active threat environment for Windows and .NET systems. Developers are encouraged to enable automatic NuGet package update alerts to catch future OOB releases swiftly.
“`