Protecting Your ASP.NET Core Applications: Applying the .NET 10.0.7 Out-of-Band Security Patch

<h2>Introduction</h2> <p>If you work with ASP.NET Core and rely on <strong>Microsoft.AspNetCore.DataProtection</strong>, you need to act quickly. An out-of-band (OOB) security update — <strong>.NET 10.0.7</strong> — has been released to fix a serious vulnerability (<strong>CVE-2026-40372</strong>) that could allow an attacker to gain elevated privileges. The issue was discovered after the Patch Tuesday release of .NET 10.0.6, when some customers reported decryption failures. Investigation revealed a regression: in versions 10.0.0 through 10.0.6, the managed authenticated encryptor could compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash. This flaw could lead to an elevation of privilege. This guide will walk you through updating your environment and applications to close the security gap.</p><figure style="margin:20px 0"><img src="https://devblogs.microsoft.com/dotnet/wp-content/uploads/sites/10/2026/04/thumbnail-1776800944887.webp" alt="Protecting Your ASP.NET Core Applications: Applying the .NET 10.0.7 Out-of-Band Security Patch" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: devblogs.microsoft.com</figcaption></figure> <h2>What You Need</h2> <ul> <li>Administrative access to your development and production machines</li> <li>An existing .NET 10.0.x SDK or runtime installed (versions 10.0.0–10.0.6)</li> <li>Access to the NuGet package feed (the update is available via nuget.org)</li> <li>Your project source code and a build pipeline (e.g., CI/CD)</li> <li>Optional: A staging environment to test the update before deploying to production</li> </ul> <h2>Step-by-Step Guide</h2> <h3 id="step1">Step 1: Verify Your Current .NET Version</h3> <p>Before making any changes, confirm which version of the .NET SDK or runtime you are using. Open a terminal or command prompt and run:</p> <pre><code>dotnet --info</code></pre> <p>Look for the SDK and runtime version numbers. If they show <strong>10.0.0</strong>, <strong>10.0.1</strong>, …, or <strong>10.0.6</strong>, you are vulnerable and must update to <strong>10.0.7</strong>. If you see <strong>10.0.7</strong>, you’re already covered (though you may still need to update the NuGet package in your projects).</p> <h3 id="step2">Step 2: Update the Microsoft.AspNetCore.DataProtection NuGet Package</h3> <p>The vulnerability directly affects the <strong>Microsoft.AspNetCore.DataProtection</strong> package. Open your project solution and update the package reference to version <strong>10.0.7</strong>. You can do this via the NuGet Package Manager in Visual Studio, the .NET CLI, or by editing your <code>.csproj</code> file.</p> <ul> <li><strong>Using .NET CLI:</strong> Navigate to your project directory and run:<br/> <code>dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7</code></li> <li><strong>Using Visual Studio:</strong> Right-click the project, select <em>Manage NuGet Packages</em>, search for <code>Microsoft.AspNetCore.DataProtection</code>, and install version 10.0.7.</li> <li><strong>Editing .csproj:</strong> Change the <code>PackageReference</code> version to <code>10.0.7</code>.</li> </ul> <p>After updating, restore the packages:</p> <pre><code>dotnet restore</code></pre> <h3 id="step3">Step 3: Update the .NET SDK and Runtime to 10.0.7</h3> <p>While the package update is critical, you should also update the SDK and runtime to ensure consistency across your environment. Download the appropriate installer from the official .NET download page (<a href="https://dotnet.microsoft.com/download/dotnet/10.0" target="_blank">https://dotnet.microsoft.com/download/dotnet/10.0</a>). Choose the version <strong>10.0.7</strong> for your operating system (Windows, macOS, Linux).</p> <ul> <li><strong>Windows:</strong> Run the installer (e.g., <code>dotnet-sdk-10.0.7-win-x64.exe</code>) and follow the prompts.</li> <li><strong>macOS:</strong> Use the <code>.pkg</code> installer or install via Homebrew: <code>brew upgrade dotnet-sdk</code> (if using a tap).</li> <li><strong>Linux:</strong> Add the Microsoft package repository and update: <code>sudo apt-get install dotnet-sdk-10.0</code> (after configuring the feed).</li> </ul> <h3 id="step4">Step 4: Confirm the Update</h3> <p>After installation, verify that the new version is active. Run:</p> <pre><code>dotnet --info</code></pre> <p>The output should show <strong>10.0.7</strong> for both the SDK version and the runtime version. Also check the package version in your project by reviewing the <code>.csproj</code> file or using the Package Manager Console.</p><figure style="margin:20px 0"><img src="https://uhf.microsoft.com/images/microsoft/RE1Mu3b.png" alt="Protecting Your ASP.NET Core Applications: Applying the .NET 10.0.7 Out-of-Band Security Patch" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: devblogs.microsoft.com</figcaption></figure> <h3 id="step5">Step 5: Rebuild and Redeploy Your Application</h3> <p>Now that your development environment is updated, rebuild your application. Use the following commands (adjust for your project type):</p> <pre><code>dotnet clean dotnet build dotnet run</code></pre> <p>If you are deploying container images, update your Docker base image to <code>mcr.microsoft.com/dotnet/aspnet:10.0.7</code> (or the SDK variant for build stages). For Linux packages, update your package references accordingly. Rebuild your containers and push the new images to your registry.</p> <h3 id="step6">Step 6: Test Decryption Functionality</h3> <p>The original issue was reported as decryption failures. After applying the patch, thoroughly test any features that rely on data protection, such as:</p> <ul> <li>Cookie authentication (e.g., ASP.NET Core Identity)</li> <li>Anti-forgery tokens</li> <li>Encrypted query strings or form data</li> <li>Any custom use of <code>IDataProtector</code></li> </ul> <p>Run automated tests and manually verify that encryption and decryption work correctly. If you were experiencing decryption errors before, they should now be resolved.</p> <h3 id="step7">Step 7: Report Any Issues</h3> <p>If you encounter new problems after the update, please report them to the .NET team via the <a href="https://github.com/dotnet/aspnetcore/issues" target="_blank">ASP.NET Core issue tracker</a> with the label <strong>release-feedback</strong>. Provide detailed steps to reproduce and include your environment information. The team actively monitors feedback for OOB releases.</p> <h2>Tips for a Smooth Update</h2> <ul> <li><strong>Back up your data and configuration</strong> before applying any security patches, especially in production.</li> <li><strong>Test in a staging environment</strong> that mirrors production to catch regressions.</li> <li><strong>Monitor application logs</strong> after deployment for any decryption or authentication failures.</li> <li><strong>Update all dependent projects</strong> that reference the Data Protection package; don't leave any old versions lying around.</li> <li><strong>Check the official known issues list</strong> for .NET 10.0 on the <a href="https://github.com/dotnet/core/blob/main/release-notes/10.0/known-issues.md" target="_blank">GitHub known issues page</a> to stay informed of any post-release fixes.</li> <li><strong>Coordinate with your team</strong> to ensure all developers and CI/CD pipelines are aligned on version 10.0.7.</li> </ul> <p>By following these steps, you’ll close the CVE-2026-40372 vulnerability and restore secure decryption in your ASP.NET Core applications. Don’t delay — update today.</p>