Emergency ASP.NET Patch
What happened
- Microsoft pushed out emergency, out-of-band updates to fix a critical ASP.NET Core privilege-escalation vulnerability. - The flaw specifically affected the Microsoft.AspNetCore.DataProtection NuGet package and could elevate privileges if unpatched. - Administrators were advised to apply the fixes quickly because transitive framework packages pose active operational risk (bleepingcomputer.com).
Why it matters
ASP.NET Core apps that use Microsoft’s Data Protection component need a fast rebuild and patch after Microsoft shipped an emergency.NET 10.0.7 fix on April 21. (devblogs.microsoft.com) Data Protection is the part of ASP.NET Core that seals things like authentication cookies and tokens so a server can tell whether a user’s data was forged or changed. Microsoft’s documentation describes it as the framework’s built-in cryptographic system for protecting sensitive web app data. (learn.microsoft.com) The bug sits in the Microsoft.AspNetCore.DataProtection NuGet package, where versions 10.0.0 through 10.0.6 could calculate an HMAC integrity check over the wrong bytes and then discard the result. Microsoft said that flaw could lead to elevation of privilege. (devblogs.microsoft.com) Microsoft traced the problem after customers reported decryption failures following the regular Patch Tuesday.NET 10.0.6 release. The company then issued the out-of-band 10.0.7 update outside its normal monthly cycle. (devblogs.microsoft.com) This is not just a “run Windows Update” story. Microsoft said applications using ASP.NET Core Data Protection should update the package to 10.0.7, then rebuild and redeploy with updated images or packages. (devblogs.microsoft.com) That extra step matters because NuGet packages often arrive indirectly, pulled in by other framework dependencies rather than added by hand. Security teams can miss those transitive packages if they only check top-level application code. (bleepingcomputer.com) On Windows, Microsoft Support says the April 21, 2026.NET 10.0 update is available through Microsoft Update, Windows Server Update Services, and the Microsoft Update Catalog. The company also said installing 10.0.7 removes 10.0.6 from the machine. (support.microsoft.com) Administrators can verify the runtime version with `dotnet --info`, but Microsoft’s guidance goes further: patched runtimes alone are not enough if the application still ships the vulnerable package. The company’s closing instruction was direct — update to 10.0.7 “as soon as possible.” (devblogs.microsoft.com)
Key numbers
- ASP.NET Core apps that use Microsoft’s Data Protection component need a fast rebuild and patch after Microsoft shipped an emergency.NET 10.0.7 fix on April 21.
- (learn.microsoft.com) The bug sits in the Microsoft.AspNetCore.DataProtection NuGet package, where versions 10.0.0 through 10.0.6 could calculate an HMAC integrity check over the wrong bytes and then discard the result.
- (devblogs.microsoft.com) Microsoft traced the problem after customers reported decryption failures following the regular Patch Tuesday.NET 10.0.6 release.
- The company then issued the out-of-band 10.0.7 update outside its normal monthly cycle.
What happens next
- (learn.microsoft.com) The bug sits in the Microsoft.AspNetCore.DataProtection NuGet package, where versions 10.0.0 through 10.0.6 could calculate an HMAC integrity check over the wrong bytes and then discard the result.
- Microsoft said that flaw could lead to elevation of privilege.
- The flaw specifically affected the Microsoft.AspNetCore.DataProtection NuGet package and could elevate privileges if unpatched.
Quick answers
What happened in Emergency ASP.NET Patch?
Microsoft pushed out emergency, out-of-band updates to fix a critical ASP.NET Core privilege-escalation vulnerability. The flaw specifically affected the Microsoft.AspNetCore.DataProtection NuGet package and could elevate privileges if unpatched. Administrators were advised to apply the fixes quickly because transitive framework packages pose active operational risk (bleepingcomputer.com).
Why does Emergency ASP.NET Patch matter?
ASP.NET Core apps that use Microsoft’s Data Protection component need a fast rebuild and patch after Microsoft shipped an emergency.NET 10.0.7 fix on April 21. (devblogs.microsoft.com) Data Protection is the part of ASP.NET Core that seals things like authentication cookies and tokens so a server can tell whether a user’s data was forged or changed. Microsoft’s documentation describes it as the framework’s built-in cryptographic system for protecting sensitive web app data. (learn.microsoft.com) The bug sits in the Microsoft.AspNetCore.DataProtection NuGet package, where versions 10.0.0 through 10.0.6 could calculate an HMAC integrity check over the wrong bytes and then discard the result. Microsoft said that flaw could lead to elevation of privilege. (devblogs.microsoft.com) Microsoft traced the problem after customers reported decryption failures following the regular Patch Tuesday.NET 10.0.6 release. The company then issued the out-of-band 10.0.7 update outside its normal monthly cycle. (devblogs.microsoft.com) This is not just a “run Windows Update” story. Microsoft said applications using ASP.NET Core Data Protection should update the package to 10.0.7, then rebuild and redeploy with updated images or packages. (devblogs.microsoft.com) That extra step matters because NuGet packages often arrive indirectly, pulled in by other framework dependencies rather than added by hand. Security teams can miss those transitive packages if they only check top-level application code. (bleepingcomputer.com) On Windows, Microsoft Support says the April 21, 2026.NET 10.0 update is available through Microsoft Update, Windows Server Update Services, and the Microsoft Update Catalog. The company also said installing 10.0.7 removes 10.0.6 from the machine. (support.microsoft.com) Administrators can verify the runtime version with dotnet --info, but Microsoft’s guidance goes further: patched runtimes alone are not enough if the application still ships the vulnerable package. The company’s closing instruction was direct — update to 10.0.7 “as soon as possible.” (devblogs.microsoft.com)
