Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Linux KVM Vulnerability (CVE-2024-4655) Exposes Host Kernel Memory
July 7, 2026
Critical Tenda Vulnerability Allows Remote Admin Access
July 7, 2026
Critical BeyondTrust Vulnerabilities Allow Access Control Bypass
July 7, 2026
Home/CyberSecurity News/Microsoft Patches Critical .NET Elevation of Privilege Vulnerability CVE-2023-29337
CyberSecurity News

Microsoft Patches Critical .NET Elevation of Privilege Vulnerability CVE-2023-29337

Key Takeaways Microsoft released an emergency out-of-band security update for .NET 10 (version 10.0.7) on April 21, 2026. The update addresses CVE-2026-40372, a critical elevation of privilege...

Sarah simpson
Sarah simpson
April 22, 2026 2 Min Read
29 0

Key Takeaways

  • Microsoft released an emergency out-of-band security update for .NET 10 (version 10.0.7) on April 21, 2026.
  • The update addresses CVE-2026-40372, a critical elevation of privilege vulnerability in the Microsoft.AspNetCore.DataProtection NuGet package.
  • All applications utilizing Microsoft.AspNetCore.DataProtection on .NET versions 10.0.0 through 10.0.6 are affected.
  • The flaw could allow attackers to bypass data integrity checks, potentially leading to privilege escalation.

Microsoft Rushes Out-of-Band Patch for Critical .NET Data Protection Flaw

Microsoft has issued an urgent, unscheduled security update for .NET 10, bringing the framework to version 10.0.7. Released on April 21, 2026, this patch targets a severe elevation of privilege vulnerability, identified as CVE-2026-40372, within the widely used Microsoft.AspNetCore.DataProtection NuGet package.

Table Of Content

  • Key Takeaways
  • Microsoft Rushes Out-of-Band Patch for Critical .NET Data Protection Flaw
  • Details of CVE-2026-40372
  • What You Should Do

The swift deployment of this out-of-band (OOB) fix was necessitated by customer reports of decryption failures impacting their ASP.NET Core applications. These issues surfaced immediately following the standard Patch Tuesday update, which had brought .NET to version 10.0.6.

The initial decryption problems were publicly documented in ASP.NET Core issue #66335. While investigating these widespread regressions, Microsoft engineers unearthed a more profound and critical security vulnerability. This flaw, a security regression introduced by prior updates, was found to affect all versions of the Microsoft.AspNetCore.DataProtection package from 10.0.0 up to and including 10.0.6.

Details of CVE-2026-40372

The vulnerability, tracked as CVE-2026-40372, resides specifically within the managed authenticated encryptor component of the Microsoft.AspNetCore.DataProtection package. This critical flaw allows the encryptor to incorrectly compute its Hash-based Message Authentication Code (HMAC) validation tag over the wrong bytes of the payload, or to subsequently discard the correctly computed hash.

Such cryptographic mishandling creates an opportunity for attackers to manipulate protected data. By bypassing the integrity validation checks, malicious actors could achieve elevation of privilege. This bug fundamentally compromises a core security guarantee of ASP.NET Core’s Data Protection stack, a framework crucial for encrypting sensitive application state, cookies, and authentication tokens.

The impact extends to any application that integrates and utilizes the Microsoft.AspNetCore.DataProtection package across .NET versions 10.0.0 through 10.0.6. Given the foundational role of ASP.NET Core Data Protection in securing elements like cookie authentication, anti-forgery tokens, and TempData encryption, the potential attack surface is considerable. Applications that manage user sessions or process protected payloads without applying this update are at significant risk of privilege escalation exploits.

What You Should Do

  • Microsoft strongly advises all developers and organizations operating affected .NET versions to immediately update the Microsoft.AspNetCore.DataProtection package to version 10.0.7.
  • Download the updated SDK and runtime from the official .NET 10.0 download page.
  • After installation, verify the runtime version by running dotnet --info, ensuring it displays 10.0.7.
  • Rebuild and redeploy all applications that use the updated NuGet packages or container images.
  • For server deployments, particularly on Linux, review the specific package installation guidance provided by Microsoft.
  • Updated container images are also available via the Microsoft Container Registry.
  • Developers should enable automatic NuGet package update notifications to stay informed of future OOB releases.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Mythos AI Tool Exposed: Anthropic Investigates Unauthorized Access

Next Post

Microsoft Signed Driver Used in LOTUSLITE Espionage Campaign

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Next-Generation Firewall Solutions for 2026
July 6, 2026
Microsoft Device Code Phishing Attack Steals Tokens via Login Page
July 6, 2026
Critical Gemini Live Voice flaw lets attackers inject tools via misconfigured tokens
July 6, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
David kimber
David kimber
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us