We are releasing .NET 10.0.7 as an out-of-band (OOB) update to address a security issue introduced in Microsoft.AspNetCore.DataProtection.
Security update details
This release includes a fix for CVE-2026-40372
After the Patch Tuesday 10.0.6 release, some customers reported that decryption was failing in their applications. This behavior was reported in aspnetcore issue #66335.
While investigating those reports, we determined that the regression also exposed a vulnerability. In versions 10.0.0 through .NET 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, the managed authenticated encryptor could compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash, which could result in elevation of privilege.
Update required
If your application uses ASP.NET Core Data Protection, update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible to address the decryption regression and security vulnerability.
Download .NET 10.0.7
| .NET 10.0 | |
|---|---|
| Release Notes | 10.0 release notes |
| Installers and binaries | 10.0.7 |
| Container Images | images |
| Linux packages | 10.0 |
| Known Issues | 10.0 |
Installation guidance
- Download and install the .NET 10.0.7 SDK or Runtime.
- Verify installation by running
dotnet --infoand confirming you are on 10.0.7. - Rebuild and redeploy your applications using updated images or packages.
Share your feedback
If you experience any issues after installing this update, please let us know in the .NET release feedback issues.
The post .NET 10.0.7 Out-of-Band Security Update appeared first on .NET Blog.