Emergency ASP.NET patch issued

Microsoft has shipped an emergency.NET 10.0.7 update after a security bug in ASP.NET Core 10.0.0 through 10.0.6 created a path to forged sign-ins and higher system access. (devblogs.microsoft.com) The flaw is tracked as CVE-2026-40372, and Microsoft said it was introduced in the Microsoft.AspNetCore.DataProtection packages included with those releases. The company published the out-of-band fix on April 21, 2026, outside its normal Patch Tuesday cycle. (github.com) (dotnet.microsoft.com) ASP.NET Core’s Data Protection system is the part of the framework that seals and checks sensitive data such as authentication cookies, like a tamper-evident seal on a package. Microsoft said the regression caused the software to validate cryptographic tags against the wrong bytes in some cases and discard the computed hash in others. (github.com) That matters because authentication cookies tell a server who a user is after login. Microsoft’s advisory said an attacker could forge those cookies, while the company and outside security reports said some protected payloads could also be decrypted. (github.com) (csoonline.com) The affected code shipped in the April 2026 servicing update, and Microsoft said customer reports first surfaced as decryption failures in applications after.NET 10.0.6 was installed. The company linked those failures to aspnetcore issue #66335 before tracing them to the security defect. (devblogs.microsoft.com) Microsoft’s fix is to move affected systems to.NET 10.0.7 or the matching ASP.NET Core 10.0.7 runtime, including the Windows Hosting Bundle for servers running Internet Information Services support. The.NET 10 download page lists April 21, 2026 as the latest 10.0.7 security patch release date. (dotnet.microsoft.com) Security firms said updating the shared library alone does not fully clean up the risk for every deployment. Applications that embed the vulnerable package may need to be rebuilt and redeployed so the fixed Data Protection code is actually bundled into the app. (csoonline.com) (infoworld.com) Administrators may also need to invalidate existing authentication cookies and other tokens created while the buggy code was in use. If those artifacts were minted under the flawed validation logic, rotating keys or expiring sessions can cut off any forged or still-usable credentials. (github.com) (csoonline.com) The episode is a reminder that emergency security fixes can follow routine platform updates within days. For.NET teams, the immediate checklist is short: identify any 10.0.0 to 10.0.6 deployments, update to 10.0.7, rebuild embedded apps, and force fresh sign-ins where exposed cookies may still exist. (devblogs.microsoft.com) (github.com)