Urgent .NET 10.0.7 Security Patch: Everything You Need to Know

Microsoft has released .NET 10.0.7 as an out-of-band (OOB) update to address a critical security issue discovered in the Microsoft.AspNetCore.DataProtection package. This update fixes CVE-2026-40372, a vulnerability that could allow an attacker to gain elevated privileges. The release also resolves a decryption regression reported by customers after the Patch Tuesday update. Below, we answer the most important questions about this urgent patch.

What is the .NET 10.0.7 out-of-band update and why was it released?

An out-of-band update is a security release that arrives outside the regular monthly Patch Tuesday schedule. .NET 10.0.7 was issued urgently to fix a security vulnerability (CVE-2026-40372) in the Microsoft.AspNetCore.DataProtection NuGet package. The vulnerability could allow an attacker to perform an elevation of privilege attack. Additionally, this update resolves a decryption regression that was introduced in the previous 10.0.6 release—users reported that decryption was failing in their applications (issue #66335). Because both the security flaw and the regression posed immediate risks, Microsoft moved quickly to provide a fix outside the normal cycle.

What specific security vulnerability does CVE-2026-40372 address?

CVE-2026-40372 affects the managed authenticated encryptor within Microsoft.AspNetCore.DataProtection. In affected versions (10.0.0 through 10.0.6), the encryptor could compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash. This flaw means that an attacker could potentially submit a tampered payload that bypasses authentication checks, leading to elevation of privilege. The vulnerability is rated as important, and Microsoft encourages all users of ASP.NET Core Data Protection to upgrade immediately to 10.0.7 to eliminate the risk.

How did the decryption regression lead to the discovery of the vulnerability?

After the Patch Tuesday .NET 10.0.6 release, customers began reporting decryption failures in their applications. They opened issue #66335 on the ASP.NET Core GitHub repository. While investigating these reports, Microsoft engineers discovered that the regression was caused by a deeper flaw in how the Data Protection library handled authenticated encryption. Further analysis revealed that the same code change that broke decryption also exposed a security vulnerability. This chain of events—user reports leading to a security investigation—meant that the fix needed to address both the regression and the privilege escalation issue, resulting in the 10.0.7 OOB release.

Which versions and packages are affected by this issue?

All versions of the Microsoft.AspNetCore.DataProtection NuGet package from 10.0.0 up to and including 10.0.6 are affected by the vulnerability and the decryption regression. This includes applications that use ASP.NET Core Data Protection for encrypting cookies, tokens, or other sensitive data. If your project references any version in that range, you must upgrade to 10.0.7 immediately. The fix is delivered as a single package update; no additional code changes are required. See the installation guidance below for steps.

What should developers do to protect their applications?

To remediate the vulnerability and fix the decryption regression, follow these steps:

1. Update the NuGet package: Upgrade Microsoft.AspNetCore.DataProtection to version 10.0.7 in your project. You can do this via the NuGet Package Manager or by editing your .csproj file.
2. Download the SDK or Runtime: Install the .NET 10.0.7 SDK or Runtime from the official download page. Use the provided binaries or container images.
3. Verify the installation: Run dotnet --info in your terminal and confirm the output shows 10.0.7.
4. Rebuild and redeploy: Rebuild your applications using the updated packages and redeploy to all environments.

Failure to update may leave your application exposed to elevation of privilege attacks and cause persistent decryption errors.

How can users verify they have installed the correct update?

After updating, you can confirm the correct patch version in a few ways:

• Check installed SDK/Runtime: Run dotnet --info in a command prompt. Look for the .NET SDK and .NET Runtime version numbers. They should show 10.0.7.
• Inspect project references: Open your project file and verify that the Microsoft.AspNetCore.DataProtection package reference points to 10.0.7.
• Test decryption: If your application previously displayed decryption failures, attempt to access the affected functionality. Successful decryption indicates the regression is fixed.

If you still encounter issues, refer to the feedback section to report problems.

Where can developers report issues or provide feedback after updating?

Microsoft encourages all users to share their experiences with the .NET 10.0.7 update. If you encounter any problems after installing the patch—whether they are new issues or residual effects of the decryption regression—please report them in the .NET release feedback issues repository on GitHub. This feedback helps Microsoft quickly identify and address any unforeseen side effects. You can also contribute to the discussion on the original issue (#66335) if your problem relates to the decryption regression. For general questions, the .NET Blog post and official Release Notes provide additional context. Your reports are vital to maintaining the stability and security of the .NET ecosystem.