Critical .NET 10.0.7 Security Update
Microsoft has released an emergency out-of-band security update for .NET 10.0.7, addressing a critical elevation of privilege vulnerability (CVE-2026-40372) in the ASP.NET Core Data Protection cryptographic APIs.
The Vulnerability
The flaw affects .NET 10.0.0 through 10.0.6 and could allow unauthenticated attackers to gain SYSTEM privileges by forging authentication cookies. A regression in Microsoft.AspNetCore.DataProtection causes HMAC validation to be computed over incorrect bytes, allowing attackers to bypass integrity checks.
Action Required
Update Microsoft.AspNetCore.DataProtection to version 10.0.7 immediately, then rebuild and redeploy all applications.
Other News This Week
- GitHub tightens Copilot usage limits and suspends new Pro/Pro+/Student subscriptions
- Microsoft Agent Framework 1.0.0 released as successor to Semantic Kernel
- Azure Accelerate for Databases announced for AI modernization
Source: BleepingComputer, GitHub Changelog, Azure Blog
Comments (0)
Please sign in to leave a comment.