Microsoft Issues Emergency .NET 10.0.7 Patch to Fix Privilege Escalation Flaw Traced to Regression
Microsoft Issues Emergency .NET 10.0.7 Patch to Fix Privilege Escalation Flaw Traced to Regression
- Linux Kernel Drops 40-Year-Old AppleTalk Protocol — AI-Generated Patch Flood Was the Last Straw
- Apple’s Native Linux Container Tool Has Arrived — But Can It Really Replace Docker?
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
- How Close Are Quantum Computers to Breaking RSA-2048?
- What is the best alternative to Microsoft Office?
Microsoft Issues Emergency .NET 10.0.7 Patch to Fix Privilege Escalation Flaw Traced to Regression
A cryptographic bug quietly introduced during Patch Tuesday’s .NET 10.0.6 rollout can allow unauthenticated attackers to forge authentication cookies and gain SYSTEM-level privileges — prompting a rare out-of-band release just days later.
Microsoft released .NET 10.0.7 on April 21, 2026, as an emergency out-of-band (OOB) security update — an expedited fix issued outside the regular monthly patch cycle. The release addresses a severe vulnerability in the
Microsoft.AspNetCore.DataProtection NuGet package, formally tracked as CVE-2026-40372, which carries a CVSS severity score of 9.1 (Critical). The flaw allows an unauthenticated attacker to gain SYSTEM-level privileges, enabling them to read sensitive files, forge authentication cookies, and manipulate secured payloads.
Microsoft.AspNetCore.DataProtection — Managed Authenticated Encryptor HMAC Regression
How the Regression Was Introduced
The story begins on April 15, 2026 — Patch Tuesday — when Microsoft released .NET 10.0.6 as part of its scheduled monthly security updates. That release addressed multiple privilege escalation vulnerabilities across the .NET ecosystem. However, shortly after the update began rolling out, reports emerged from developers on GitHub’s ASP.NET Core issue tracker (#66335) describing widespread and unexpected application decryption failures in environments that had applied the update.
Microsoft engineers began investigating the decryption regressions and quickly uncovered something far more alarming: the root cause was not merely a functional bug — it was a security-critical regression that had silently introduced an exploitable cryptographic flaw into the Microsoft.AspNetCore.DataProtection component across all .NET 10 releases from version 10.0.0 onward.
“While investigating those reports, we determined that the regression also exposed a vulnerability.”
— Microsoft .NET Blog, April 21, 2026The Technical Root Cause
The defect resides specifically in the managed authenticated encryptor within the Data Protection stack. In the affected code path, when processing a protected payload, the encryptor was incorrectly computing its HMAC (Hash-based Message Authentication Code) validation tag over the wrong bytes of the payload. Compounding the error, the incorrectly computed hash was then silently discarded rather than used for verification.
In practical terms, this means the cryptographic integrity check — which is supposed to detect any tampering with a protected payload — was effectively bypassed. An attacker who could supply a crafted payload would not trigger the authentication alarm, enabling them to manipulate data that applications assume is protected. This breach of integrity can be leveraged for privilege escalation, granting an attacker SYSTEM-level access on a compromised host.
The Data Protection system in ASP.NET Core is a cryptographic API used widely across web applications for tasks such as encrypting authentication cookies, anti-forgery tokens, and other sensitive session data.
Applications that use IDataProtector, cookie authentication middleware, or any built-in ASP.NET Core component that relies on Data Protection internally are potentially exposed to this vulnerability.
Affected Versions
The vulnerability is present in every release of the Microsoft.AspNetCore.DataProtection NuGet package from the initial .NET 10 release through the most recent Patch Tuesday update. Microsoft has confirmed that all non-Windows operating systems running .NET 10.0.6 are affected. The fixed version is 10.0.7.
| .NET Version | Package Version | Status |
|---|---|---|
| .NET 10.0.0 – 10.0.6 | Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 | ⚠ Vulnerable |
| .NET 10.0.7 | Microsoft.AspNetCore.DataProtection 10.0.7 | ✔ Fixed |
| .NET 8 / .NET 9 | Earlier major versions | ✔ Not Affected |
What Is .NET 10?
.NET 10 is Microsoft’s cross-platform application development framework, supporting Windows, macOS, Linux, and other operating systems. As an even-numbered release, .NET 10 qualifies as a Long-Term Support (LTS) version, meaning Microsoft commits to a minimum of three years of maintenance and security patches. The framework is used across web, desktop, cloud, mobile, and IoT development scenarios globally.
How to Apply the Fix
Microsoft is urging all developers running ASP.NET Core applications to update their Data Protection package to version 10.0.7 as soon as possible. Below are the recommended steps to resolve both the regression and the security vulnerability:
- Open a terminal in your project directory and run:
dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7 - Alternatively, update via NuGet Package Manager in Visual Studio by searching for
Microsoft.AspNetCore.DataProtectionand selecting version 10.0.7. - Rebuild and redeploy your application to staging, then production after verification.
- Enable automatic NuGet package update notifications in your CI/CD pipeline to catch future OOB releases promptly.
Developers who experienced decryption failures after installing .NET 10.0.6 should find that the update to 10.0.7 also resolves those functional regressions, as both issues share the same root cause in the managed authenticated encryptor code path.
Broader Context: A Turbulent Patch Cycle
The .NET 10.0.7 OOB update is not the only emergency patch Microsoft has issued in the wake of April 2026’s Patch Tuesday. The company separately released an out-of-band fix for Windows Server systems after the April security update (KB5082063) was found to cause domain controllers to enter reboot loops due to LSASS crashes triggered by Privileged Access Management (PAM) operations in multi-domain forest environments. Security researchers note that these incidents collectively underscore the increasing complexity of testing large-scale security updates across heterogeneous production environments.
The decision to push an OOB release for the .NET vulnerability — rather than waiting for the next Patch Tuesday in May — signals the severity with which Microsoft regards CVE-2026-40372. A CVSS score of 9.1, combined with the ability to achieve SYSTEM privileges without authentication, places this squarely among the most critical .NET vulnerabilities disclosed in recent memory.
What happened: A regression in .NET 10.0.6 introduced a critical HMAC validation bypass in ASP.NET Core Data Protection, tracked as CVE-2026-40372 (CVSS 9.1).
Impact: Unauthenticated attackers can forge authentication cookies and escalate to SYSTEM privileges. Decryption failures in applications are also caused by the same bug.
Who is affected: All applications using Microsoft.AspNetCore.DataProtection versions 10.0.0–10.0.6, particularly on non-Windows platforms.
Fix: Update to Microsoft.AspNetCore.DataProtection version 10.0.7 immediately.
