When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Microsoft releases emergency out-of-band .NET update to patch severe bug

Microsoft rushes out .NET 10.0.7 update to fix critical 9.1 vulnerability enabling privilege escalation and data access risks.

Neowin · · Hot! with 5 comments

microsoft dot net

.NET forms a core part of Windows and other operating systems, as many applications use this platform to run across billions of devices. Microsoft concurrently supports multiple versions of .NET and regularly urges IT admins not to run unsupported versions of the technology. This is important because security vulnerabilities in this platform can create significant supply chain risks. Now, Microsoft has released an out-of-band security update for the latest version of .NET.

Microsoft notes that after Patch Tuesday's release of .NET 10.0.6, several customers had reported that decryption was failing in their applications. As the Redmond tech firm investigated this issue, it also discovered a bigger problem, namely a security vulnerability.

This vulnerability is tagged as CVE-2026-40372 and has a severity of 9.1. It allows an attacker to utilize an elevation of privilege (EoP) exploit by forging authentication cookies and decrypting some secure payloads. This flaw is present in Microsoft.AspNetCore.DataProtection NuGet package, in which "the managed authenticated encryptor could compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash, which could result in elevation of privilege."

Microsoft has emphasized that all non-Windows operating systems with .NET 10.0.6 are impacted. You are also affected if all of the following conditions are true:

  • Your application or library referenced Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 from NuGet
  • The build consumed the net462 or netstandard2.0 target framework asset of that package. This occurs when your application does not target net10.0 and consumes the package (e.g. net8.0, net9.0, net481 for mono, etc.). This combination is unusual because 10.0 NuGet packages are generally intended for use with .NET 10.

  • The application ran on Linux, macOS, or any non-Windows operating system.

Some other configurations may be impacted too, and you can find out more details here.

To patch this security lapse, Microsoft has released an OOB security update, namely .NET 10.0.7, that fixes the regression bug for decryption too. You can download and install it from here and then run dotnet --info in Command Prompt to ensure that you have the latest version. After that, rebuild and redeploy your dependent software using this updated package.

It's a pretty severe issue overall, which is also underscored by Microsoft's decision to release an OOB update so soon after Patch Tuesday. The tech giant says that an attacker who successfully exploits this flaw can gain SYSTEM privileges, allowing them to read files and modify data, so it's essential that you install .NET 10.0.7 as soon as possible if you are impacted.

windows 11 and 10 logos side by side in red
Next Article

Microsoft shared simple fix for Windows 11/10 bug that seemingly broke a vital OS feature

DLSS 45
Previous Article

Nvidia released DLSS 4.5 SDK for developers featuring Dynamic Multi Frame Generation

5 Comments

Load the comments and join the conversation!

Read the comments, ask the editors questions, show respect and join the conversation.

Click here