7 Critical Facts About the .NET 10.0.7 Out-of-Band Security Update

By • min read

<p>In an unexpected move, the .NET team has released version 10.0.7 as an out-of-band (OOB) update to address a pressing security flaw. This update targets a critical issue in the <em>Microsoft.AspNetCore.DataProtection</em> package that not only broke decryption for some users but also exposed a potential elevation-of-privilege vulnerability. Here are seven essential facts you need to know about this urgent release.</p> <h2 id="item1">1. What Triggered the Out-of-Band Update?</h2> <p>Shortly after the scheduled .NET 10.0.6 release (Patch Tuesday), developers began reporting that decryption was failing in their ASP.NET Core applications. The issue was tracked in <strong>aspnetcore issue #66335</strong>, and during the investigation, the .NET team discovered that the regression itself masked a more serious security hole. This prompted an immediate OOB patch—version 10.0.7—to fix both the decryption failures and the underlying vulnerability.</p><figure style="margin:20px 0"><img src="https://devblogs.microsoft.com/dotnet/wp-content/uploads/sites/10/2026/04/thumbnail-1776800944887.webp" alt="7 Critical Facts About the .NET 10.0.7 Out-of-Band Security Update" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: devblogs.microsoft.com</figcaption></figure> <h2 id="item2">2. Which Package Is Affected?</h2> <p>The vulnerability resides in the <em>Microsoft.AspNetCore.DataProtection</em> NuGet package. Specifically, it impacts versions <strong>10.0.0 through 10.0.6</strong>. The package is widely used to protect sensitive data like authentication tokens, cookies, and encryption keys. If your application relies on ASP.NET Core Data Protection, this update is mandatory.</p> <h2 id="item3">3. What Is the Vulnerability (CVE-2026-40372)?</h2> <p>The security flaw, assigned <strong>CVE-2026-40372</strong>, lies in the managed authenticated encryptor. In vulnerable versions, the encryptor could compute its <strong>HMAC validation tag</strong> over the wrong bytes of the payload. Worse, it then discards the computed hash entirely. This oversight can allow an attacker to forge signatures, leading to potential <strong>elevation of privilege</strong>. No public exploits have been reported, but the risk is real.</p> <h2 id="item4">4. How Does the Regression Affect You?</h2> <p>Users who upgraded to .NET 10.0.6 observed decryption failures—causing authentication cookies, anti-forgery tokens, and other protected payloads to become unreadable. This alone disrupted many applications. However, the regression also served as a canary, alerting the team to the deeper HMAC computation error. The 10.0.7 update resolves both the decryption issue and the security bug, so you can resume normal operations immediately.</p> <h2 id="item5">5. Which Products and Runtimes Are Included?</h2> <p>.NET 10.0.7 covers the <strong>SDK, Runtime, and ASP.NET Core</strong> packages. The fix targets the <em>Microsoft.AspNetCore.DataProtection</em> library specifically, but updating the entire SDK or runtime ensures all components are synchronized. You can download the updated binaries from the official .NET website, and container images are also available for Docker deployments.</p><figure style="margin:20px 0"><img src="https://uhf.microsoft.com/images/microsoft/RE1Mu3b.png" alt="7 Critical Facts About the .NET 10.0.7 Out-of-Band Security Update" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: devblogs.microsoft.com</figcaption></figure> <h2 id="item6">6. How to Install and Verify the Update</h2> <p>Follow these steps to apply the security update:</p> <ol> <li>Download and install the <strong>.NET 10.0.7 SDK</strong> or <strong>Runtime</strong> from the official download page.</li> <li>Verify the installation by running <code>dotnet --info</code> — confirm the version displays <strong>10.0.7</strong>.</li> <li>Rebuild your application and redeploy using the updated packages or container images.</li> </ol> <p>If you use NuGet packages, update <em>Microsoft.AspNetCore.DataProtection</em> to version <strong>10.0.7</strong> directly. For Docker users, pull the <code>mcr.microsoft.com/dotnet/aspnet:10.0.7</code> image.</p> <h2 id="item7">7. Where to Report Issues and Get Support</h2> <p>After upgrading, monitor your application for any unusual behavior. If you encounter problems related to this release, the .NET team encourages you to <strong>share your feedback</strong> in the <a href="https://github.com/dotnet/core/issues">.NET release feedback issues</a> on GitHub. The team is actively monitoring reports and will provide support for any residual issues.</p> <p><strong>Conclusion</strong><br /> The .NET 10.0.7 out-of-band update is a critical patch that fixes both a decryption regression and a security vulnerability (CVE-2026-40372). If you are running ASP.NET Core with Data Protection, update to version 10.0.7 immediately to protect your applications. Stay tuned for the official release notes and future Patch Tuesday updates.</p>