Microsoft has urgently released a security update for .NET 10, specifically version 10.0.7, on April 21, 2026. This update addresses a critical elevation of privilege vulnerability found in the Microsoft.AspNetCore.DataProtection NuGet package.
Emergency Security Update Released
The decision to issue an out-of-band update followed customer reports of decryption failures within ASP.NET Core applications post the standard Patch Tuesday .NET 10.0.6 update. Developers noted these issues in ASP.NET Core issue #66335, leading to the discovery of a serious security regression affecting all package versions from 10.0.0 to 10.0.6.
Details of the Vulnerability
Identified as CVE-2026-40372, the flaw is rooted in the managed authenticated encryptor component of the package. The vulnerability arises from incorrect computation of the HMAC validation tag over payload bytes, allowing potential attackers to bypass integrity validation and escalate privileges. This undermines the security framework used for encrypting cookies, tokens, and sensitive data within ASP.NET Core applications.
Any application utilizing the Microsoft.AspNetCore.DataProtection package on .NET versions 10.0.0 to 10.0.6 is at risk. The package is integral for cookie authentication, anti-forgery tokens, and TempData encryption, highlighting a significant potential attack surface for unpatched systems.
Immediate Action Required
Microsoft strongly advises developers and organizations using affected versions to update to version 10.0.7 without delay. The updated SDK and runtime can be downloaded from the official .NET 10.0 download page. Administrators should verify the update by running dotnet –info and ensure applications are rebuilt and redeployed using the updated NuGet packages or container images.
Updated container images are accessible via the Microsoft Container Registry, and specific instructions for Linux package installations are available for server deployments. Documentation on known issues for the 10.0 release is provided in the .NET Core GitHub repository.
Security Landscape and Future Precautions
This emergency patch reflects Microsoft’s proactive stance in accelerating security fixes beyond its usual Patch Tuesday schedule when critical threats are identified. The April 2026 Patch Tuesday addressed several privilege escalation vulnerabilities, emphasizing the ongoing security challenges within Microsoft’s ecosystem. Developers are encouraged to enable automatic NuGet package updates to quickly respond to future out-of-band releases.
For continuous updates on cybersecurity developments, follow us on Google News, LinkedIn, and X. For inquiries or to share your stories, please contact us directly.
