Microsoft releases emergency out-of-band .NET update to patch severe bug

Microsoft rushes out .NET 10.0.7 update to fix critical 9.1 vulnerability enabling privilege escalation and data access risks.

.NET forms a core part of Windows and other operating systems, as many applications use this platform to run across billions of devices. Microsoft concurrently supports multiple versions of .NET and regularly urges IT admins not to run unsupported versions of the technology. This is important because security vulnerabilities in this platform can create significant supply chain risks. Now, Microsoft has released an out-of-band security update for the latest version of .NET.

Microsoft notes that after Patch Tuesday's release of .NET 10.0.6, several customers had reported that decryption was failing in their applications. As the Redmond tech firm investigated this issue, it also discovered a bigger problem, namely a security vulnerability.

This vulnerability is tagged as CVE-2026-40372 and has a severity of 9.1. It allows an attacker to utilize an elevation of privilege (EoP) exploit by forging authentication cookies and decrypting some secure payloads. This flaw is present in Microsoft.AspNetCore.DataProtection NuGet package, in which "the managed authenticated encryptor could compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash, which could result in elevation of privilege."

Microsoft has emphasized that all non-Windows operating systems with .NET 10.0.6 are impacted. You are also affected if all of the following conditions are true:

• Your application or library referenced Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 from NuGet
• The build consumed the net462 or netstandard2.0 target framework asset of that package. This occurs when your application does not target net10.0 and consumes the package (e.g. net8.0, net9.0, net481 for mono, etc.). This combination is unusual because 10.0 NuGet packages are generally intended for use with .NET 10.

• The application ran on Linux, macOS, or any non-Windows operating system.

   

Some other configurations may be impacted too, and you can find out more details here.

To patch this security lapse, Microsoft has released an OOB security update, namely .NET 10.0.7, that fixes the regression bug for decryption too. You can download and install it from here and then run dotnet --info in Command Prompt to ensure that you have the latest version. After that, rebuild and redeploy your dependent software using this updated package.

It's a pretty severe issue overall, which is also underscored by Microsoft's decision to release an OOB update so soon after Patch Tuesday. The tech giant says that an attacker who successfully exploits this flaw can gain SYSTEM privileges, allowing them to read files and modify data, so it's essential that you install .NET 10.0.7 as soon as possible if you are impacted.

Source

Hope you enjoyed this news post. Feedback welcome.

Posted Wednesday 22 April 2026 at 1:36 pm AEST (my time).

News posts: 2023 5,800+ | 2024 5,700+ | 2025 5,700+ | 2026 (to end of March) 1,297

RIP Matrix