Protecting Your ASP.NET Core Applications: Applying the .NET 10.0.7 Out-of-Band Security Patch

Introduction

If you work with ASP.NET Core and rely on Microsoft.AspNetCore.DataProtection, you need to act quickly. An out-of-band (OOB) security update — .NET 10.0.7 — has been released to fix a serious vulnerability (CVE-2026-40372) that could allow an attacker to gain elevated privileges. The issue was discovered after the Patch Tuesday release of .NET 10.0.6, when some customers reported decryption failures. Investigation revealed a regression: in versions 10.0.0 through 10.0.6, the managed authenticated encryptor could compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash. This flaw could lead to an elevation of privilege. This guide will walk you through updating your environment and applications to close the security gap.

What You Need

• Administrative access to your development and production machines
• An existing .NET 10.0.x SDK or runtime installed (versions 10.0.0–10.0.6)
• Access to the NuGet package feed (the update is available via nuget.org)
• Your project source code and a build pipeline (e.g., CI/CD)
• Optional: A staging environment to test the update before deploying to production

Step-by-Step Guide

Step 1: Verify Your Current .NET Version

Before making any changes, confirm which version of the .NET SDK or runtime you are using. Open a terminal or command prompt and run:

dotnet --info

Look for the SDK and runtime version numbers. If they show 10.0.0, 10.0.1, …, or 10.0.6, you are vulnerable and must update to 10.0.7. If you see 10.0.7, you’re already covered (though you may still need to update the NuGet package in your projects).

Step 2: Update the Microsoft.AspNetCore.DataProtection NuGet Package

The vulnerability directly affects the Microsoft.AspNetCore.DataProtection package. Open your project solution and update the package reference to version 10.0.7. You can do this via the NuGet Package Manager in Visual Studio, the .NET CLI, or by editing your .csproj file.

• Using .NET CLI: Navigate to your project directory and run:
  dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7
• Using Visual Studio: Right-click the project, select Manage NuGet Packages, search for Microsoft.AspNetCore.DataProtection, and install version 10.0.7.
• Editing .csproj: Change the PackageReference version to 10.0.7.

After updating, restore the packages:

dotnet restore

Step 3: Update the .NET SDK and Runtime to 10.0.7

While the package update is critical, you should also update the SDK and runtime to ensure consistency across your environment. Download the appropriate installer from the official .NET download page (https://dotnet.microsoft.com/download/dotnet/10.0). Choose the version 10.0.7 for your operating system (Windows, macOS, Linux).

• Windows: Run the installer (e.g., dotnet-sdk-10.0.7-win-x64.exe) and follow the prompts.
• macOS: Use the .pkg installer or install via Homebrew: brew upgrade dotnet-sdk (if using a tap).
• Linux: Add the Microsoft package repository and update: sudo apt-get install dotnet-sdk-10.0 (after configuring the feed).

Step 4: Confirm the Update

After installation, verify that the new version is active. Run:

dotnet --info

The output should show 10.0.7 for both the SDK version and the runtime version. Also check the package version in your project by reviewing the .csproj file or using the Package Manager Console.

Step 5: Rebuild and Redeploy Your Application

Now that your development environment is updated, rebuild your application. Use the following commands (adjust for your project type):

dotnet clean
dotnet build
dotnet run

If you are deploying container images, update your Docker base image to mcr.microsoft.com/dotnet/aspnet:10.0.7 (or the SDK variant for build stages). For Linux packages, update your package references accordingly. Rebuild your containers and push the new images to your registry.

Step 6: Test Decryption Functionality

The original issue was reported as decryption failures. After applying the patch, thoroughly test any features that rely on data protection, such as:

• Cookie authentication (e.g., ASP.NET Core Identity)
• Anti-forgery tokens
• Encrypted query strings or form data
• Any custom use of IDataProtector

Run automated tests and manually verify that encryption and decryption work correctly. If you were experiencing decryption errors before, they should now be resolved.

Step 7: Report Any Issues

If you encounter new problems after the update, please report them to the .NET team via the ASP.NET Core issue tracker with the label release-feedback. Provide detailed steps to reproduce and include your environment information. The team actively monitors feedback for OOB releases.

Tips for a Smooth Update

• Back up your data and configuration before applying any security patches, especially in production.
• Test in a staging environment that mirrors production to catch regressions.
• Monitor application logs after deployment for any decryption or authentication failures.
• Update all dependent projects that reference the Data Protection package; don't leave any old versions lying around.
• Check the official known issues list for .NET 10.0 on the GitHub known issues page to stay informed of any post-release fixes.
• Coordinate with your team to ensure all developers and CI/CD pipelines are aligned on version 10.0.7.

By following these steps, you’ll close the CVE-2026-40372 vulnerability and restore secure decryption in your ASP.NET Core applications. Don’t delay — update today.