7 Critical Facts About the .NET 10.0.7 Out-of-Band Security Update

In an unexpected move, the .NET team has released version 10.0.7 as an out-of-band (OOB) update to address a pressing security flaw. This update targets a critical issue in the Microsoft.AspNetCore.DataProtection package that not only broke decryption for some users but also exposed a potential elevation-of-privilege vulnerability. Here are seven essential facts you need to know about this urgent release.

1. What Triggered the Out-of-Band Update?

Shortly after the scheduled .NET 10.0.6 release (Patch Tuesday), developers began reporting that decryption was failing in their ASP.NET Core applications. The issue was tracked in aspnetcore issue #66335, and during the investigation, the .NET team discovered that the regression itself masked a more serious security hole. This prompted an immediate OOB patch—version 10.0.7—to fix both the decryption failures and the underlying vulnerability.

2. Which Package Is Affected?

The vulnerability resides in the Microsoft.AspNetCore.DataProtection NuGet package. Specifically, it impacts versions 10.0.0 through 10.0.6. The package is widely used to protect sensitive data like authentication tokens, cookies, and encryption keys. If your application relies on ASP.NET Core Data Protection, this update is mandatory.

3. What Is the Vulnerability (CVE-2026-40372)?

The security flaw, assigned CVE-2026-40372, lies in the managed authenticated encryptor. In vulnerable versions, the encryptor could compute its HMAC validation tag over the wrong bytes of the payload. Worse, it then discards the computed hash entirely. This oversight can allow an attacker to forge signatures, leading to potential elevation of privilege. No public exploits have been reported, but the risk is real.

4. How Does the Regression Affect You?

Users who upgraded to .NET 10.0.6 observed decryption failures—causing authentication cookies, anti-forgery tokens, and other protected payloads to become unreadable. This alone disrupted many applications. However, the regression also served as a canary, alerting the team to the deeper HMAC computation error. The 10.0.7 update resolves both the decryption issue and the security bug, so you can resume normal operations immediately.

5. Which Products and Runtimes Are Included?

.NET 10.0.7 covers the SDK, Runtime, and ASP.NET Core packages. The fix targets the Microsoft.AspNetCore.DataProtection library specifically, but updating the entire SDK or runtime ensures all components are synchronized. You can download the updated binaries from the official .NET website, and container images are also available for Docker deployments.

6. How to Install and Verify the Update

Follow these steps to apply the security update:

1. Download and install the .NET 10.0.7 SDK or Runtime from the official download page.
2. Verify the installation by running dotnet --info — confirm the version displays 10.0.7.
3. Rebuild your application and redeploy using the updated packages or container images.

If you use NuGet packages, update Microsoft.AspNetCore.DataProtection to version 10.0.7 directly. For Docker users, pull the mcr.microsoft.com/dotnet/aspnet:10.0.7 image.

7. Where to Report Issues and Get Support

After upgrading, monitor your application for any unusual behavior. If you encounter problems related to this release, the .NET team encourages you to share your feedback in the .NET release feedback issues on GitHub. The team is actively monitoring reports and will provide support for any residual issues.

Conclusion
The .NET 10.0.7 out-of-band update is a critical patch that fixes both a decryption regression and a security vulnerability (CVE-2026-40372). If you are running ASP.NET Core with Data Protection, update to version 10.0.7 immediately to protect your applications. Stay tuned for the official release notes and future Patch Tuesday updates.