https://thedotnetblog.com/tags/asp.net-core/Articles, tutorials and insights from the .NET community.Hugoen@thedotnetblog (The .NET Blog)@thedotnetblogWed, 22 Apr 2026 00:00:00 +0000https://thedotnetblog.com/posts/emiliano-montesdeoca/dotnet-10-0-7-oob-security-patch-data-protection/Wed, 22 Apr 2026 00:00:00 +0000Emiliano Montesdeocahttps://thedotnetblog.com/posts/emiliano-montesdeoca/dotnet-10-0-7-oob-security-patch-data-protection/.NET 10.0.7 is an out-of-band release fixing a security vulnerability in Microsoft.AspNetCore.DataProtection — the managed authenticated encryptor was computing HMAC over the wrong bytes, leading to potential elevation of privilege. Update immediately.<p>This one is not optional. If your application uses <code>Microsoft.AspNetCore.DataProtection</code>, you need to update to 10.0.7.</p> <h2 id="what-happened">What Happened</h2> <p>After the Patch Tuesday <code>.NET 10.0.6</code> release, some users started reporting that decryption was failing in their applications. The issue was filed as <a href="https://github.com/dotnet/aspnetcore/issues/66335">aspnetcore#66335</a>.</p> <p>While investigating that regression, the team discovered it also exposed a security vulnerability: <strong>CVE-2026-40372</strong>.</p> <p>In versions <code>10.0.0</code> through <code>10.0.6</code> of <code>Microsoft.AspNetCore.DataProtection</code>, the managed authenticated encryptor had a bug where it computed its HMAC validation tag over the <strong>wrong bytes</strong> of the payload and then discarded the computed hash. This could result in elevation of privilege.</p> <p>In plain terms: the integrity check wasn&rsquo;t doing what it was supposed to do. Data Protection uses authenticated encryption to prevent tampering — the HMAC is the &ldquo;has this been modified?&rdquo; check. If the HMAC is computed over the wrong data, you lose that guarantee.</p> <h2 id="who-is-affected">Who Is Affected</h2> <p>Any .NET 10 application using <code>Microsoft.AspNetCore.DataProtection</code> — versions 10.0.0 through 10.0.6. The good news is this package is specific to .NET 10. If you&rsquo;re still on .NET 8 or 9, you&rsquo;re not affected by this specific CVE.</p> <p>Common use cases for Data Protection: cookie encryption, antiforgery tokens, temp data in MVC, and any other use of <code>IDataProtector</code> in your application.</p> <h2 id="how-to-fix-it">How to Fix It</h2> <p>Update the <code>Microsoft.AspNetCore.DataProtection</code> NuGet package to <strong>10.0.7</strong>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7 </span></span></code></pre></div><p>Or update your SDK/runtime: <a href="https://dotnet.microsoft.com/download/dotnet/10.0">download .NET 10.0.7</a>.</p> <p>Verify you&rsquo;re on the right version:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">dotnet --info </span></span></code></pre></div><p>Then <strong>rebuild and redeploy</strong> your application. The fix doesn&rsquo;t take effect until you&rsquo;re running the updated package.</p> <h2 id="the-bigger-picture">The Bigger Picture</h2> <p>Out-of-band security releases are uncommon — they happen when a vulnerability is serious enough that it can&rsquo;t wait for the next scheduled Patch Tuesday. This one is a direct consequence of a regression in 10.0.6 creating a security gap. The fact that it was discovered through bug reports is a good sign that the process worked. The fix is fast and the scope is narrow.</p> <p>If you&rsquo;re running .NET 10 in production with any web application framework, this is a same-day update situation.</p> <p>Original announcement by Rahul Bhandari: <a href="https://devblogs.microsoft.com/dotnet/dotnet-10-0-7-oob-security-update/">.NET 10.0.7 Out-of-Band Security Update</a>.</p>