Microsoft Issues Urgent .NET 10.0.7 Update for Critical Vulnerability

Severity: High (Score: 72.9)

Sources: Bleepingcomputer, devblogs.microsoft.com, Gbhackers, Neowin, Cybersecuritynews

Summary

On April 21, 2026, Microsoft released an emergency out-of-band update for .NET 10.0.7 to address a critical elevation of privilege vulnerability (CVE-2026-40372) discovered in the Microsoft.AspNetCore.DataProtection NuGet package. This vulnerability, rated 9.1 in severity, allows attackers to forge authentication cookies and decrypt secure payloads, potentially granting SYSTEM privileges. The issue was identified after users reported decryption failures following the previous Patch Tuesday update to .NET 10.0.6. All non-Windows operating systems running .NET 10.0.6 are affected, particularly those on Linux and macOS. Organizations are urged to install the patch immediately to mitigate risks associated with this vulnerability. The update also resolves the decryption regression bug introduced in the earlier version. Microsoft emphasizes the importance of upgrading to the latest version to protect sensitive data and maintain system integrity. Key Points: • CVE-2026-40372 allows elevation of privilege via forged authentication cookies. • All non-Windows systems running .NET 10.0.6 are at risk of exploitation. • Immediate installation of .NET 10.0.7 is critical to prevent potential attacks.

Key Entities

• Data Breach (attack_type)
• Zero-day Exploit (attack_type)
• CVE-2025-55315 (cve)
• CVE-2026-40372 (cve)
• CWE-200 - Exposure of Sensitive Information (cwe)
• CWE-269 - Improper Privilege Management (cwe)
• CWE-287 - Improper Authentication (cwe)
• T1068 - Exploitation for Privilege Escalation (mitre_attack)
• T1078 - Valid Accounts (mitre_attack)
• ASP.NET Core (platform)
• Kestrel (platform)
• Linux (platform)
• MacOS (platform)
• .NET (platform)