Microsoft has issued an emergency out-of-band (OOB) security update for .NET 10, releasing version 10.0.7 on April 21, 2026, to patch a critical elevation of privilege vulnerability in the Microsoft.AspNetCore.DataProtection NuGet package tracked as CVE-2026-40372.
All organizations and developers running ASP.NET Core applications on .NET versions 10.0.0 through 10.0.6 are urged to update immediately.
Microsoft Patches .NET Flaw
Following the standard Patch Tuesday release of .NET 10.0.6, Microsoft’s engineering team began receiving alarming reports from customers whose applications were suddenly experiencing decryption failures.
The regression was publicly tracked in ASP.NET Core issue #66335 and quickly escalated as the engineering team realized the underlying bug was far more serious than a simple compatibility regression.
During their investigation, Microsoft confirmed that the same code defect that broke decryption also introduced a security vulnerability, forcing an out-of-band release outside the normal monthly patching cadence.
This is a rare but significant signal: Microsoft’s decision to break from the standard Patch Tuesday schedule underlines the critical severity of CVE-2026-40372 for any enterprise running modern .NET web workloads.
At the heart of this vulnerability is a logic flaw inside the managed authenticated encryptor component of the Microsoft.AspNetCore.DataProtection library.
In all affected versions from 10.0.0 to 10.0.6, the encryptor computed its HMAC (Hash-based Message Authentication Code) validation tag over the wrong bytes of the encrypted payload, then discarded the computed hash rather than using it for integrity verification.
HMAC is a cryptographic mechanism that ensures the integrity and authenticity of encrypted data. When an HMAC tag is computed over incorrect payload bytes and then thrown away, the authentication layer effectively becomes non-functional.
This creates a dangerous attack surface where a threat actor could forge or tamper with encrypted payloads, bypassing the intended data protection safeguards, resulting in an elevation of privilege (EoP) condition.
The vulnerability is particularly dangerous because Data Protection in ASP.NET Core is used for a wide range of sensitive operations, including:
- Cookie encryption and anti-forgery token generation
- Session state protection and secure key storage
- OAuth token encryption in authentication pipelines
- Secure transmission of sensitive user data across application tiers
A successful exploitation of CVE-2026-40372 could allow an attacker to impersonate users, escalate session privileges, or bypass authentication controls, all without requiring any user interaction.
Affected Versions
| Component | Affected Versions | Fixed Version |
|---|---|---|
| Microsoft.AspNetCore.DataProtection | 10.0.0 – 10.0.6 | 10.0.7 |
| .NET SDK / Runtime | 10.0.0 – 10.0.6 | 10.0.7 |
All applications built on .NET 10 that leverage ASP.NET Core’s Data Protection APIs are impacted. Earlier .NET Long-Term Support (LTS) versions, such as .NET 8.x and .NET 9.x, are not affected by this specific regression, as the vulnerability was introduced exclusively in the .NET 10 release line.
Remediation
Microsoft recommends that all affected developers and system administrators apply the .NET 10.0.7 update immediately. The following steps provide a clear remediation path:
- Download the .NET 10.0.7 SDK or Runtime. Installers are available for Windows (x64, x86, Arm64), macOS (Arm64, x64), and all major Linux distributions.
- Verify your installation after the update by running the command
dotnet --infoin your terminal and confirming the active version reads10.0.7. - Update the NuGet package directly in your project by running
dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7or by editing your.csprojfile to reference version 10.0.7. - Rebuild and redeploy all affected applications using the updated SDK, runtime, or container images pulled from the Microsoft Container Registry (MCR).
- Linux-based environments can follow the updated Linux package installation guide published on the official .NET GitHub repo for package manager-based upgrades on Debian, Ubuntu, SUSE, Azure Linux, and Alpine.
Out-of-band security releases are reserved for vulnerabilities serious enough that they cannot wait for the next scheduled Patch Tuesday cycle.
In this case, Microsoft simultaneously resolved a production-breaking decryption regression and a privilege escalation vulnerability in a single emergency release, demonstrating both the urgency and the complexity of the underlying bug.
Security teams should treat OOB patches with the same or higher priority as standard Patch Tuesday updates, as they typically signal active exploitability risk or confirmed production impact.
FAQ
Q1: Which .NET versions are affected by CVE-2026-40372?
Only .NET 10.0.0 through 10.0.6 using Microsoft.AspNetCore.DataProtection are affected; .NET 8 and .NET 9 are not impacted.
Q2: What is the impact of this vulnerability if left unpatched?
Exploiting CVE-2026-40372 can allow attackers to forge encrypted payloads and elevate privileges, potentially bypassing authentication and session controls.
Q3: Does this vulnerability affect all ASP.NET Core applications?
Only applications that directly use ASP.NET Core Data Protection APIs, such as those relying on cookie encryption, session management, or OAuth token handling, are at risk.
Q4: Where can I download the official .NET 10.0.7 fix?
The official .NET 10.0.7 SDK and Runtime are available for immediate download at dotnet.microsoft.com/download/dotnet/10.0.
Site: https://thecybrdef.com
About the Author
