{"id":59947,"date":"2026-04-21T11:48:34","date_gmt":"2026-04-21T18:48:34","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/dotnet\/?p=59947"},"modified":"2026-04-21T15:54:07","modified_gmt":"2026-04-21T22:54:07","slug":"dotnet-10-0-7-oob-security-update","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/dotnet-10-0-7-oob-security-update\/","title":{"rendered":".NET 10.0.7 Out-of-Band Security Update"},"content":{"rendered":"<p>We are releasing .NET 10.0.7 as an out-of-band (OOB) update to address a security issue introduced in <a href=\"https:\/\/www.nuget.org\/packages\/Microsoft.AspNetCore.DataProtection\">Microsoft.AspNetCore.DataProtection<\/a><\/p>\n<h2>Security update details<\/h2>\n<p>This release includes a fix for <a href=\"https:\/\/github.com\/dotnet\/announcements\/issues\/395\">CVE-2026-40372<\/a><\/p>\n<p>After the Patch Tuesday <code>.NET 10.0.6<\/code> release, some customers reported that decryption was failing in their applications. This behavior was reported in <a href=\"https:\/\/github.com\/dotnet\/aspnetcore\/issues\/66335\">aspnetcore issue #66335<\/a>.<\/p>\n<p>While investigating those reports, we determined that the regression also exposed a vulnerability. In versions <code>10.0.0<\/code> through <code>10.0.6<\/code> of the <code>Microsoft.AspNetCore.DataProtection<\/code> NuGet package, the managed authenticated encryptor could compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash, which could result in elevation of privilege.<\/p>\n<p><div class=\"alert alert-warning\"><p class=\"alert-divider\"><i class=\"fabric-icon fabric-icon--Warning\"><\/i><strong>Update required<\/strong><\/p>If your application uses ASP.NET Core Data Protection, update the <code>Microsoft.AspNetCore.DataProtection<\/code> package to 10.0.7 as soon as possible to address the decryption regression and security vulnerability.<\/div><\/p>\n<h3>Download .NET 10.0.7<\/h3>\n<table>\n<thead>\n<tr>\n<th><\/th>\n<th>.NET 10.0<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Release Notes<\/td>\n<td><a href=\"https:\/\/github.com\/dotnet\/core\/blob\/main\/release-notes\/10.0\/README.md\">10.0 release notes<\/a><\/td>\n<\/tr>\n<tr>\n<td>Installers and binaries<\/td>\n<td><a href=\"https:\/\/dotnet.microsoft.com\/download\/dotnet\/10.0\">10.0.7<\/a><\/td>\n<\/tr>\n<tr>\n<td>Container Images<\/td>\n<td><a href=\"https:\/\/mcr.microsoft.com\/catalog?search=dotnet\/\">images<\/a><\/td>\n<\/tr>\n<tr>\n<td>Linux packages<\/td>\n<td><a href=\"https:\/\/github.com\/dotnet\/core\/blob\/main\/release-notes\/10.0\/install-linux.md\">10.0<\/a><\/td>\n<\/tr>\n<tr>\n<td>Known Issues<\/td>\n<td><a href=\"https:\/\/github.com\/dotnet\/core\/blob\/main\/release-notes\/10.0\/known-issues.md\">10.0<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3>Installation guidance<\/h3>\n<ol>\n<li>Download and install the <a href=\"https:\/\/dotnet.microsoft.com\/download\/dotnet\/10.0\">.NET 10.0.7 SDK or Runtime<\/a>.<\/li>\n<li>Verify installation by running <code>dotnet --info<\/code> and confirming you are on 10.0.7.<\/li>\n<li>Rebuild and redeploy your applications using updated images or packages.<\/li>\n<\/ol>\n<h2>Share your feedback<\/h2>\n<p>If you experience any issues after installing this update, please let us know in the <a href=\"https:\/\/github.com\/dotnet\/core\/issues\">.NET release feedback issues<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We are releasing .NET 10.0.7 as an out-of-band security update to address CVE-2026-40372.<\/p>\n","protected":false},"author":7455,"featured_media":59951,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[685,7600],"tags":[7892,8149,8128,123],"class_list":["post-59947","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-dotnet","category-maintenance-and-updates","tag-dotnet-10","tag-cve-2026-40372","tag-oob","tag-security"],"acf":[],"blog_post_summary":"<p>We are releasing .NET 10.0.7 as an out-of-band security update to address CVE-2026-40372.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/59947","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/7455"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=59947"}],"version-history":[{"count":2,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/59947\/revisions"}],"predecessor-version":[{"id":59954,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/59947\/revisions\/59954"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/59951"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=59947"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=59947"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=59947"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}