Emergency Patch: Microsoft Issues Urgent .NET 10.0.7 Update to Fix Critical 9.1 Severity Flaw

The .NET framework, engineered by Microsoft, serves as the foundational substrate for a vast array of software applications. While Microsoft concurrently maintains several iterations of the platform, it vehemently advises developers and system administrators to eschew obsolete versions, as legacy environments often harbor security vulnerabilities that pose substantial risks to institutional integrity.

Of particular concern is a newly identified vulnerability within currently supported versions of .NET, which has garnered a critical severity rating of 9.1. In light of the profound threat it represents, Microsoft has disseminated an urgent out-of-band update to remediate the flaw, which affects .NET 10.0.6 and its antecedents.

The genesis of this discovery followed the release of .NET 10.0.6 during the April routine update cycle, after which several users reported that decryption functionalities in their .NET-based applications had been rendered inoperative. During the subsequent forensic investigation, Microsoft inadvertently unearthed a privilege escalation vulnerability present in versions 10.0.0 through 10.0.6.

Designated as CVE-2026-40372, this vulnerability resides within the Microsoft.AspNetCore.DataProtection NuGet package. An adversary could exploit this flaw to forge authentication cookies and decrypt sensitive payloads, thereby facilitating unauthorized elevation of privileges. Microsoft clarified that during authenticated encryption processes, the system should ideally utilize an HMAC (Hash-based Message Authentication Code) to verify data integrity. However, a programmatic error caused the system to calculate the HMAC using incorrect bytes and subsequently discard the erroneous result without performing a valid comparison.

Consequently, this flaw permits the fabrication of protected data—such as session tokens, cookies, and password reset hyperlinks—tricking the system into validating forged content as legitimate. To mitigate this peril, Microsoft has released .NET 10.0.7, a “secure-by-default” update designed for seamless deployment. This version simultaneously rectifies the aforementioned decryption errors and the privilege escalation vulnerability. Microsoft urgently implores all developers and enterprises utilizing .NET 10.0.0 through 10.0.6 to transition to version 10.0.7 immediately to fortify their environments against potential exploitation.