Microsoft Ships Emergency .NET Patch After Severe Security Risk Discovered

Immediate action required for CVE-2026-40372 bug

News
Milan Stanojevic
Milan Stanojevic Shield
Windows Toubleshooting Expert
News
Reading time icon 2 min. read

Calendar icon Published on

net emegency update

Microsoft has released an emergency out-of-band update for .NET, addressing a critical security vulnerability that could allow attackers to gain elevated privileges and access sensitive data. The issue surfaced after reports of decryption failures in .NET 10.0.6, prompting immediate action.

The vulnerability, tracked as CVE-2026-40372, carries a severity score of 9.1 and falls under elevation of privilege (EoP). Attackers could exploit it to forge authentication cookies, decrypt protected data, and potentially escalate access to SYSTEM-level privileges.

Flaw Linked to DataProtection Component

The root cause lies in Microsoft.AspNetCore.DataProtection component, specifically within its HMAC validation process. The system computed the hash on incorrect payload bytes, then discarded validation results, effectively opening the door for exploitation.

This flaw impacts applications built on .NET versions 10.0.0 through 10.0.6 that rely on the affected package under certain configurations.

Limited but High-Risk Exposure

The vulnerability does not affect all environments equally. It targets systems that meet specific conditions:

  • Applications referencing the vulnerable DataProtection package
  • Projects using net462 or netstandard2.0 assets
  • Deployments running on Linux, macOS, or other non-Windows platforms

While this setup remains relatively uncommon, Microsoft warns that affected systems face serious risk if left unpatched.

Microsoft Pushes Urgent Fix with .NET 10.0.7

To address the issue, Microsoft released .NET 10.0.7 as an out-of-band update. The company urges developers and organizations to install the latest version immediately, then rebuild and redeploy affected applications.

Successful exploitation could allow attackers to access and modify files, escalate privileges, and potentially carry out supply chain attacks.

This emergency release highlights the urgency of the threat, as out-of-band patches typically signal active risk or high exploit potential. It also follows recent reports of the RedSun exploit campaign, and multiple other zero-day vulnerabilities.

In separate security guidance, Microsoft recently stated that most home Windows 11 users no longer need third-party antivirus solutions, emphasizing improvements in built-in protections.

Via Neowin

More about the topics: .NET Framework, microsoft, security

Milan Stanojevic

Milan Stanojevic Shield

Windows Toubleshooting Expert

Milan has been enthusiastic about technology ever since his childhood days, and this led him to take interest in all PC-related technologies. He's a PC enthusiast and he spends most of his time learning about computers and technology. Before joining WindowsReport, he worked as a front-end web developer. Now, he's one of the Troubleshooting experts in our worldwide team, specializing in Windows errors & software issues.

Readers help support Windows Report. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help Windows Report sustain the editorial team. Read more

User forum

0 messages