Critical ASP.NET Core Patch

ASP.NET Core apps use a built-in lockbox called Data Protection to seal cookies, tokens, and other secrets. Microsoft said developers should update that component immediately after a flaw let attackers forge some authentication cookies. (devblogs.microsoft.com) Microsoft shipped an out-of-band.NET 10.0.7 security update on April 21, 2026. The company’s advisory says the bug affects the Microsoft.AspNetCore.DataProtection NuGet package in versions 10.0.0 through 10.0.6. (devblogs.microsoft.com, github.com) The flaw is tracked as CVE-2026-40372. Microsoft said the package bug could let an attacker carry out an elevation-of-privilege attack by forging authentication cookies, and could also let some protected data be decrypted. (github.com, github.com) The problem is unusual because installing the patch is not the whole fix. Microsoft said any app that directly references the vulnerable package, or carries an embedded copy through the ASP.NET Core shared framework, must be rebuilt and redeployed with the patched bits. (devblogs.microsoft.com, infoworld.com) Data Protection works by encrypting and signing values so a server can trust them later. In this case, Microsoft’s release notes said a regression caused the managed authenticated encryptor to validate the wrong bytes of a payload and, in some cases, discard the computed hash. (learn.microsoft.com, github.com) That means older cookies or tokens created with the broken package can remain dangerous after a simple patch. Microsoft said redeployed apps should expire authentication cookies and other protected payloads so forged or vulnerable artifacts stop working. (devblogs.microsoft.com, infoworld.com) The update reaches beyond one operating system because ASP.NET Core runs on Windows, Linux, and macOS. Microsoft’s.NET 10.0.7 release also updated installers, container images, Linux packages, and runtime binaries tied to the patched release. (devblogs.microsoft.com, learn.microsoft.com) Developers also ran into a separate compatibility problem while rushing to patch. A public GitHub issue reported that secrets protected in 10.0.5 could not be unprotected in 10.0.6, a regression that Microsoft addressed in the 10.0.7 out-of-band release. (github.com, devblogs.microsoft.com) For teams running ASP.NET Core in production, Microsoft’s sequence is specific: update to 10.0.7, rebuild affected apps, redeploy them, and invalidate old cookies and tokens. That leaves the emergency patch as the first step, not the last one. (devblogs.microsoft.com, github.com)