Microsoft Patches Critical .NET Elevation of Privilege Vulnerability CVE-2023-29337
Key Takeaways Microsoft released an emergency out-of-band security update for .NET 10 (version 10.0.7) on April 21, 2026. The update addresses CVE-2026-40372, a critical elevation of privilege...
Key Takeaways
- Microsoft released an emergency out-of-band security update for .NET 10 (version 10.0.7) on April 21, 2026.
- The update addresses CVE-2026-40372, a critical elevation of privilege vulnerability in the
Microsoft.AspNetCore.DataProtectionNuGet package. - All applications utilizing
Microsoft.AspNetCore.DataProtectionon .NET versions 10.0.0 through 10.0.6 are affected. - The flaw could allow attackers to bypass data integrity checks, potentially leading to privilege escalation.
Microsoft Rushes Out-of-Band Patch for Critical .NET Data Protection Flaw
Microsoft has issued an urgent, unscheduled security update for .NET 10, bringing the framework to version 10.0.7. Released on April 21, 2026, this patch targets a severe elevation of privilege vulnerability, identified as CVE-2026-40372, within the widely used Microsoft.AspNetCore.DataProtection NuGet package.
Table Of Content
The swift deployment of this out-of-band (OOB) fix was necessitated by customer reports of decryption failures impacting their ASP.NET Core applications. These issues surfaced immediately following the standard Patch Tuesday update, which had brought .NET to version 10.0.6.
The initial decryption problems were publicly documented in ASP.NET Core issue #66335. While investigating these widespread regressions, Microsoft engineers unearthed a more profound and critical security vulnerability. This flaw, a security regression introduced by prior updates, was found to affect all versions of the Microsoft.AspNetCore.DataProtection package from 10.0.0 up to and including 10.0.6.
Details of CVE-2026-40372
The vulnerability, tracked as CVE-2026-40372, resides specifically within the managed authenticated encryptor component of the Microsoft.AspNetCore.DataProtection package. This critical flaw allows the encryptor to incorrectly compute its Hash-based Message Authentication Code (HMAC) validation tag over the wrong bytes of the payload, or to subsequently discard the correctly computed hash.
Such cryptographic mishandling creates an opportunity for attackers to manipulate protected data. By bypassing the integrity validation checks, malicious actors could achieve elevation of privilege. This bug fundamentally compromises a core security guarantee of ASP.NET Core’s Data Protection stack, a framework crucial for encrypting sensitive application state, cookies, and authentication tokens.
The impact extends to any application that integrates and utilizes the Microsoft.AspNetCore.DataProtection package across .NET versions 10.0.0 through 10.0.6. Given the foundational role of ASP.NET Core Data Protection in securing elements like cookie authentication, anti-forgery tokens, and TempData encryption, the potential attack surface is considerable. Applications that manage user sessions or process protected payloads without applying this update are at significant risk of privilege escalation exploits.
What You Should Do
- Microsoft strongly advises all developers and organizations operating affected .NET versions to immediately update the
Microsoft.AspNetCore.DataProtectionpackage to version 10.0.7. - Download the updated SDK and runtime from the official .NET 10.0 download page.
- After installation, verify the runtime version by running
dotnet --info, ensuring it displays 10.0.7. - Rebuild and redeploy all applications that use the updated NuGet packages or container images.
- For server deployments, particularly on Linux, review the specific package installation guidance provided by Microsoft.
- Updated container images are also available via the Microsoft Container Registry.
- Developers should enable automatic NuGet package update notifications to stay informed of future OOB releases.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.