Emergency ASP.NET Patch

Microsoft shipped an emergency.NET 10.0.7 update on April 21 to fix a flaw in ASP.NET Core that could let attackers gain higher privileges. (devblogs.microsoft.com) ASP.NET Core is Microsoft’s web framework, and one of its security pieces, Data Protection, handles encrypted app secrets such as authentication cookies. Microsoft said versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection package contained a regression that could lead to elevation of privilege. (devblogs.microsoft.com) The company assigned the bug CVE-2026-40372 and said the fix is included in.NET 10.0.7. Microsoft’s release notes list April 21, 2026, as the release date and show updated SDKs 10.0.203 and 10.0.107 carrying the patched runtime. (devblogs.microsoft.com) (github.com) Microsoft said the problem appeared after the April Patch Tuesday release of.NET 10.0.6, when customers reported decryption failures in their applications. During that investigation, the company said, engineers found the same regression also created the security exposure. (devblogs.microsoft.com) In plain terms, the vulnerable code checked the wrong bytes when verifying whether protected data had been tampered with. Microsoft said the managed authenticated encryptor could calculate an HMAC tag over the wrong part of the payload and in some cases discard the computed hash. (devblogs.microsoft.com) (github.com) That matters because Data Protection sits underneath common web features such as sign-in state and other protected tokens. Ars Technica reported the flaw affected Linux and macOS apps using ASP.NET Core, and BleepingComputer reported Microsoft described the issue as critical in its emergency release. (arstechnica.com) (bleepingcomputer.com) The patched release is available for Linux, macOS, and Windows, with updated ASP.NET Core runtime packages and container images. Microsoft’s download page lists.NET Runtime 10.0.7 and ASP.NET Core Runtime 10.0.7 for all three platforms, and recommends the Hosting Bundle on Windows servers using Internet Information Services. (dotnet.microsoft.com) (github.com) Microsoft told customers using ASP.NET Core Data Protection to update the package to 10.0.7 “as soon as possible,” then rebuild and redeploy apps with the new packages or images. It also said administrators can verify installation by running `dotnet --info` and confirming version 10.0.7. (devblogs.microsoft.com) For defenders, the immediate work is inventory and correlation: find apps running Data Protection 10.0.0 through 10.0.6, confirm which systems have moved to 10.0.7, and review recent privileged logins around unpatched servers. The opening fact has not changed: Microsoft treated this as an out-of-band security release, not a routine monthly update. (devblogs.microsoft.com) (arstechnica.com)