Microsoft Emergency .NET 10.0.7 Update to Patch Elevation of Privilege Vulnerability

Microsoft has issued an emergency out-of-band (OOB) security update for .NET 10, releasing version 10.0.7 on April 21, 2026, to address a critical elevation of privilege vulnerability discovered in the Microsoft.AspNetCore.DataProtection NuGet package.

The out-of-band release was prompted after customers began reporting decryption failures in their ASP.NET Core applications following the standard Patch Tuesday .NET 10.0.6 update.

These issues were tracked publicly in ASP.NET Core issue #66335, where affected developers flagged widespread decryption regressions. While investigating those reports, Microsoft engineers uncovered a deeper and more serious problem, a security regression that introduced an exploitable vulnerability across all versions of the package from 10.0.0 through 10.0.6.

Emergency .NET 10.0.7 Update

The flaw is tracked as CVE-2026-40372 and resides in the managed authenticated encryptor within the Microsoft.AspNetCore.DataProtection package.

In affected versions, the encryptor could compute its HMAC (Hash-based Message Authentication Code) validation tag over incorrect bytes of the payload and subsequently discard the computed hash.

This cryptographic mishandling could allow an attacker to manipulate protected data in ways that bypass integrity validation, resulting in elevation of privilege. The bug effectively undermines a core security guarantee of ASP.NET Core’s Data Protection stack a framework widely relied upon for encrypting cookies, tokens, and sensitive application state.

The vulnerability affects any application that uses the Microsoft.AspNetCore.DataProtection package on .NET versions 10.0.0 through 10.0.6.

Given that ASP.NET Core Data Protection is a foundational component used for cookie authentication, anti-forgery tokens, and TempData encryption, the potential attack surface is significant. Applications that handle user sessions or protected payloads without upgrading are at risk of privilege escalation attacks.

Microsoft strongly urges all developers and organizations running affected versions to update the Microsoft.AspNetCore.DataProtection package to version 10.0.7 immediately.

The updated SDK and runtime are available for download at the official .NET 10.0 download page. After installation, administrators should:

• Run dotnet --info to confirm the runtime version reflects 10.0.7.
• Rebuild and redeploy all applications using updated NuGet packages or container images.
• Review Linux package installation guidance for server deployments.

Container images have also been updated and are available via the Microsoft Container Registry. Known issues for the 10.0 release train are documented in the official .NET Core GitHub repository.

This emergency patch follows a pattern of Microsoft accelerating security fixes outside its regular Patch Tuesday cycle when critical regressions are discovered.

The April 2026 Patch Tuesday itself addressed several privilege escalation flaws across Microsoft’s product portfolio, underscoring an active threat landscape for Windows and .NET ecosystems. Developers are advised to enable automatic NuGet package update notifications to catch future OOB releases promptly.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Microsoft Emergency .NET 10.0.7 Update to Patch Elevation of Privilege Vulnerability appeared first on Cyber Security News.