On [date], Microsoft released an out-of-band (OOB) update for .NET 10.0.7—a patch that addresses a critical security vulnerability in the ASP.NET Core Data Protection library. This update is not part of the regular monthly cumulative update cycle, signaling the severity of the issue. If you use ASP.NET Core Data Protection in your applications, here are seven essential facts you need to understand about this release, including the underlying flaw, how it was discovered, and the steps you must take to secure your systems.
1. What Is the .NET 10.0.7 Out-of-Band Update?
An out-of-band (OOB) update is a security patch released outside the normal monthly schedule—typically reserved for vulnerabilities that pose an immediate risk. The .NET 10.0.7 OOB update targets a flaw in the Microsoft.AspNetCore.DataProtection NuGet package. While the .NET team had already shipped version 10.0.6 on Patch Tuesday, reports of decryption failures led to a deeper investigation. That investigation uncovered a security regression that could allow an attacker to elevate privileges in applications using Data Protection. This OOB release fixes both the decryption error and the underlying vulnerability, making it a must-install for affected users.
2. The Security Vulnerability: CVE-2026-40372
The vulnerability tracked as CVE-2026-40372 affects versions 10.0.0 through 10.0.6 of the Data Protection package. According to Microsoft, the flaw exists in the managed authenticated encryptor—the component responsible for encrypting and authenticating payloads. Under certain conditions, the HMAC (Hash-based Message Authentication Code) validation tag is computed over the wrong bytes of the payload. Even worse, the computed hash is then discarded, meaning the validation check is essentially bypassed. This opens the door to an elevation of privilege attack, where an unauthenticated user could tamper with encrypted data and potentially gain unauthorized access to protected resources.
3. The Decryption Regression That Led to Discovery
Interestingly, the security flaw was not found during routine testing. Instead, it was discovered after the .NET 10.0.6 release, when customers started reporting decryption failures in their applications. These reports were filed in the ASP.NET Core GitHub repository under issue #66335. As the team investigated the cause of the failed decryptions, they realized the regression also exposed a more serious problem: the HMAC validation bug. This is a classic case where a seemingly minor issue—applications unable to decrypt data—uncovered a hidden security vulnerability. The fix in 10.0.7 resolves both the regression and the CVE, restoring correct decryption and closing the security loophole.
4. How the Vulnerability Works: HMAC Over Wrong Bytes
To understand the risk, it helps to know how ASP.NET Core Data Protection works. The library uses an authenticated encryption scheme, typically AES-CBC for encryption and HMAC for integrity verification. The HMAC tag ensures that the ciphertext has not been tampered with. In the flawed implementation, the HMAC was computed over an incorrect set of bytes—probably due to an off-by-one error or misaligned buffer handling. Moreover, the code then discarded the computed hash instead of comparing it. This means an attacker could modify the encrypted payload, and the system would not detect the change because the validation step was effectively skipped. The result: elevation of privilege if the attacker can craft a payload that decrypts to a different, more privileged state.
5. Who Is Affected and What You Must Do
Any application that uses the Microsoft.AspNetCore.DataProtection NuGet package in versions 10.0.0 through 10.0.6 is vulnerable. This includes applications that rely on ASP.NET Core’s built-in data protection for cookies, antiforgery tokens, or custom encrypted data. If you are using a package version below 10.0.7, you must upgrade immediately. The recommended action is to update the NuGet package reference to 10.0.7 and rebuild your application. For containerized deployments, pull the latest images from Microsoft’s container registry. Failure to update could leave your application open to privilege escalation attacks, especially if an attacker can inject or modify encrypted tokens.
6. How to Install and Verify the Update
Installing the update is straightforward. You can download the .NET 10.0.7 SDK or Runtime from the official .NET download page. After installation, verify the version by running dotnet --info in a terminal—look for version 10.0.7. For NuGet packages, update your project’s Microsoft.AspNetCore.DataProtection reference to 10.0.7 using the NuGet Package Manager or the CLI: dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7. If you use Docker, update your base images to the latest dotnet/aspnet:10.0.7 tags. Finally, rebuild and redeploy all affected applications to ensure the fix is active. Test decryption functionality to confirm the regression is resolved.
7. Where to Get Help and Report Issues
Microsoft encourages users to report any problems encountered after installing this update. The .NET team maintains a release feedback issues page on GitHub where you can submit bug reports or ask questions. Additionally, the original regression issue #66335 has been updated with the fix details. For a full list of changes, refer to the .NET 10.0.7 release notes. If you need immediate assistance, Microsoft’s support channels are available for severity cases. Remember, staying current with security updates is a critical part of maintaining the integrity of your applications.
Conclusion: The .NET 10.0.7 out-of-band update addresses a serious security vulnerability that could lead to privilege escalation in applications using ASP.NET Core Data Protection. The flaw stemmed from an HMAC validation bug that discarded the computed hash, allowing an attacker to bypass integrity checks. While the vulnerability was discovered thanks to customer reports of decryption failures, the risk is real and immediate. Follow the installation guidance above to upgrade all affected packages and runtime environments. By taking action now, you protect your applications from potential exploitation. Stay secure and keep your .NET installations up to date.