Microsoft Dev Blogs:
We are releasing .NET 10.0.7 as an out-of-band (OOB) update to address a security issue introduced in Microsoft.AspNetCore.DataProtection.
Security update details
This release includes a fix for CVE-2026-40372After the Patch Tuesday 10.0.6 release, some customers reported that decryption was failing in their applications. This behavior was reported in aspnetcore issue #66335.
While investigating those reports, we determined that the regression also exposed a vulnerability. In versions 10.0.0 through .NET 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, the managed authenticated encryptor could compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash, which could result in elevation of privilege.
Read more:
.NET 10.0.7 Out-of-Band Security Update - .NET Blog
We are releasing .NET 10.0.7 as an out-of-band security update to address CVE-2026-40372.
devblogs.microsoft.com
Release .NET 10.0.7 / 10.0.203 · dotnet/dotnet
You can build .NET 10.0 from the repository by cloning the release tag v10.0.203 and following the build instructions in the main README.md. Alternatively, you can build from the sources attached t...
github.com
