Microsoft Releases Emergency .NET 10.0.7 Patch for Critical ASP.NET Core Privilege Escalation Flaw

Microsoft issued an emergency out-of-band security update on Tuesday evening, releasing .NET 10.0.7 to address CVE-2026-40372, a critical vulnerability in the Microsoft.AspNetCore.DataProtection package that allows unauthenticated attackers to gain SYSTEM-level privileges on applications running on macOS and Linux. The flaw, rated 9.1 out of 10.0 on the CVSS scale, affects all versions of the package from 10.0.0 through 10.0.6. Windows applications are not affected.

The Details

Microsoft discovered CVE-2026-40372 while investigating customer reports that decryption was failing after the April 15 Patch Tuesday release of .NET 10.0.6, according to the company's DevBlogs. During that investigation, engineers found both a regression bug causing the decryption failures and a separate, underlying security vulnerability in the same component.

The flaw lies in the HMAC validation process within the package's managed authenticated encryptor. According to Ars Technica, the encryptor computes its HMAC validation tag over the wrong bytes of the payload and then discards the computed hash — a logic error that renders the cryptographic signature check effectively meaningless.

Because the HMAC check is broken, unauthenticated attackers can forge authentication payloads and authenticate as privileged users without valid credentials, The Hacker News reported. The Microsoft Security Response Center states that a successful exploit allows an attacker to gain SYSTEM privileges on affected devices.

The impact extends beyond initial access. According to Ars Technica, attackers who forged payloads during the vulnerable window could have induced applications to issue legitimately-signed tokens — including session refresh tokens, API keys, and password reset links — that belong to privileged accounts. Microsoft warned that those tokens remain valid even after upgrading to 10.0.7 unless the DataProtection key ring is separately rotated.

Primary consequences for exploited applications include unauthorized file disclosure and data modification, Ars Technica reported. The vulnerability is confined to non-Windows operating systems: macOS and Linux deployments are affected, while Windows applications use different DataProtection encryptors by default that do not contain the defective code path.

Affected versions include all applications running Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 on macOS or Linux at runtime. Applications and libraries that referenced the package using net462 or netstandard2.0 target framework assets are also in scope, according to Ars Technica.

Microsoft released .NET 10.0.7 on Tuesday evening, April 22, and published CVE-2026-40372 simultaneously. Rahul Bhandari, Senior Program Manager on the Microsoft .NET team, issued a public advisory urging developers to act immediately, according to Bleeping Computer.

Context

ASP.NET Core is a high-performance, open-source web development framework used to build .NET applications that run on Windows, macOS, Linux, and Docker. The DataProtection subsystem it relies on handles cryptographic operations underpinning authentication tokens, session cookies, and other security-sensitive payloads across applications built on the framework.

The CVE-2026-40372 disclosure is not the first critical security issue Microsoft has addressed in ASP.NET Core in recent months. In October 2025, Microsoft patched CVE-2025-55315, an HTTP request smuggling vulnerability in the Kestrel web server component, which Bleeping Computer reported carried the highest severity rating ever assigned to an ASP.NET Core flaw at the time.

The vulnerability was credited to an anonymous researcher by Microsoft, according to The Hacker News. CVE-2026-40372 is tracked by the NIST National Vulnerability Database and CVE.org. The .NET 10.0.6 regression itself — the decryption failure customers reported — was discovered independently by Microsoft's own engineers during their investigation of user reports, not by the original security researcher.

What's Next

Microsoft's official guidance to developers is direct: "If your application uses ASP.NET Core Data Protection, update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible to address the decryption regression and security vulnerability," the company stated via DevBlogs.

For organizations whose applications served Internet-exposed endpoints while running any of the vulnerable versions, patching alone is not sufficient. Microsoft advises rotating the DataProtection key ring after upgrading, because any tokens legitimately issued to forged identities during the exposure window will remain cryptographically valid until the key ring is replaced. As Microsoft stated via Ars Technica: "Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated."