5 Critical Facts About the .NET 10.0.7 Out-of-Band Security Patch
<p>If you're running .NET 10, you need to know about a newly released out-of-band (OOB) security update: .NET 10.0.7. This patch addresses a serious vulnerability in the ASP.NET Core Data Protection library that could allow attackers to elevate privileges. The update was issued urgently after a decryption regression was reported by customers following the Patch Tuesday release of .NET 10.0.6. Below are five essential details every developer should understand about this update, why it matters, and how to apply it immediately.</p>
<h2>1. What Is the .NET 10.0.7 Out-of-Band Update?</h2>
<p>An out-of-band update means this release arrives outside the regular monthly Patch Tuesday schedule. Microsoft pushed .NET 10.0.7 specifically to fix a security flaw that could compromise data protected with ASP.NET Core's Data Protection APIs. OOB updates are rare and signal a high-severity issue. This one also resolves a decryption regression introduced in .NET 10.0.6, which caused authentication failures for some applications. By updating to 10.0.7, you not only patch a security hole but also restore expected decryption behavior. Because the problem was reported by real customers and verified by Microsoft engineers, the urgency is clear: apply this update as soon as possible.</p><figure style="margin:20px 0"><img src="https://devblogs.microsoft.com/dotnet/wp-content/uploads/sites/10/2026/04/thumbnail-1776800944887.webp" alt="5 Critical Facts About the .NET 10.0.7 Out-of-Band Security Patch" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: devblogs.microsoft.com</figcaption></figure>
<h2>2. The Vulnerability: CVE-2026-40372</h2>
<p>The core issue is an elevation-of-privilege vulnerability tracked as CVE-2026-40372. It resides in the managed authenticated encryptor of the <strong>Microsoft.AspNetCore.DataProtection</strong> package. Under certain conditions, the encryptor could compute its HMAC validation tag using the wrong bytes of the payload. After computing the tag, it would discard the hash entirely—meaning the validation check never actually ran. This flaw could allow an attacker to tamper with encrypted data without detection, potentially gaining elevated access. The vulnerability affects all versions from 10.0.0 through 10.0.6. Fortunately, the fix in 10.0.7 ensures HMAC validation is computed correctly and applied, closing the security gap.</p>
<h2>3. The Decryption Regression That Exposed It</h2>
<p>After Microsoft released .NET 10.0.6 on Patch Tuesday, several customers reported that their applications began failing during decryption. These reports were filed as <em>aspnetcore issue #66335</em>. While investigating these decryption failures, Microsoft's security team discovered that the root cause was not just a regression but also a security vulnerability. The same code path that caused decryption to fail—an incorrect HMAC calculation—also allowed attackers to bypass validation entirely. In essence, the bug made the encryption system unreliable and insecure. This dual nature (operational regression plus security flaw) is why Microsoft acted quickly with an out-of-band fix.</p>
<h2>4. Affected Packages and Versions</h2>
<p>The vulnerable library is <strong>Microsoft.AspNetCore.DataProtection</strong>, versions <strong>10.0.0 to 10.0.6</strong>. Any .NET 10 application that uses ASP.NET Core Data Protection—for example, to encrypt cookies, session state, or other sensitive data—is at risk. This includes apps using default configuration as well as those with custom data protection setups. Even if your app did not experience the decryption regression, it may still be vulnerable to the elevation-of-privilege attack. The only safe version is 10.0.7. You should update the NuGet package immediately. Additionally, if you use Docker images or Linux packages, ensure you pull the 10.0.7 tags. The fix is not included in any earlier version, so retroactive patching requires this specific update.</p><figure style="margin:20px 0"><img src="https://uhf.microsoft.com/images/microsoft/RE1Mu3b.png" alt="5 Critical Facts About the .NET 10.0.7 Out-of-Band Security Patch" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: devblogs.microsoft.com</figcaption></figure>
<h2>5. How to Update and Verify Installation</h2>
<p>Follow these steps to apply the update:</p>
<ul>
<li><strong>Download</strong> the .NET 10.0.7 SDK or Runtime from the official <a href="https://dotnet.microsoft.com/download/dotnet/10.0">.NET download page</a>.</li>
<li>After installation, run <code>dotnet --info</code> and confirm the version shows <strong>10.0.7</strong>.</li>
<li>Update your project's NuGet package reference for <code>Microsoft.AspNetCore.DataProtection</code> to version <strong>10.0.7</strong>.</li>
<li>Rebuild your application and redeploy using updated container images or Linux packages (note: container images are tagged as <code>10.0.7</code>).</li>
</ul>
<p>After updating, test your application’s decryption workflows thoroughly. If you encounter any issues, report them in the <a href="https://github.com/dotnet/core/issues">.NET release feedback issues</a>. Do not delay the update—your application’s security depends on it.</p>
<h2>Conclusion</h2>
<p>The .NET 10.0.7 out-of-band security update is a critical release that fixes both a decryption regression and a privilege-escalation vulnerability. By upgrading to 10.0.7, you restore reliable encryption behavior and close a security hole that could be exploited to compromise your data and application. Because the fix is urgent and easy to apply, every .NET 10 developer should prioritize this update. Take a few minutes today to verify and update your environments—your users and your system integrity will thank you.</p>
Tags: