ASP.NET Core CVE-2026-40372: Emergency Patch Released

Microsoft Drops Emergency ASP.NET Core Security Fix

Microsoft shipped an out-of-band security update on Tuesday to address CVE-2026-40372, a critical privilege escalation flaw in ASP.NET Core Data Protection. The vulnerability affects the Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6, and unauthenticated attackers can exploit it to gain SYSTEM-level privileges by forging authentication cookies. If your application runs on .NET 10 and uses Data Protection APIs, this is not a "patch when convenient" situation.

The flaw was introduced as a regression in the April Patch Tuesday .NET 10.0.6 release. Users started filing reports about decryption failures shortly after installing that update, which is how the bug surfaced at all.

How the CVE-2026-40372 Vulnerability Works

The regression sits inside the managed authenticated encryptor. Instead of computing its HMAC validation tag over the correct bytes of the payload, it computes the tag over the wrong bytes and then discards the computed hash in certain code paths.

The practical result: Data Protection's authenticity checks become meaningless. An attacker who understands the broken validation logic can craft payloads that pass those checks without possessing the actual encryption keys. From there, they can forge auth cookies, antiforgery tokens, TempData values, OIDC state parameters, and more.

Worse, if an attacker successfully authenticates as a privileged user during the vulnerable window, the application may issue them legitimately signed tokens such as session refresh tokens, API keys, or password reset links. Those tokens stay valid even after you upgrade to 10.0.7, unless you rotate the DataProtection key ring.

Microsoft confirmed the bug also enables file disclosure and data modification, though it does not affect system availability.

Impact on .NET Developers and Running Applications

Any application using Microsoft.AspNetCore.DataProtection on versions 10.0.0 through 10.0.6 is exposed. The attack requires no authentication, which removes the usual prerequisite that limits the blast radius of many privilege escalation bugs.

The token persistence issue is particularly nasty for production systems. Upgrading your package closes the broken validation path, but tokens already issued to an attacker during the exposure window remain valid. You cannot rely on the patch alone to fully remediate if you had the vulnerable version running in production.

Session-based applications, OAuth/OIDC flows, and anything relying on antiforgery tokens should be treated as potentially compromised if they ran on the affected .NET 10 versions.

How to Fix CVE-2026-40372 in Your ASP.NET Core App

Microsoft senior program manager Rahul Bhandari outlined the remediation steps clearly. Here is what you need to do:

• Update immediately. Upgrade Microsoft.AspNetCore.DataProtection to version 10.0.7 via NuGet.
• Redeploy your application. The fixed validation routine only takes effect after deployment. A running instance still uses the old code.
• Rotate your DataProtection key ring. This invalidates any tokens that may have been issued to an attacker before you patched. Without this step, forged sessions and API tokens remain active.
• Audit privileged session activity. Review logs for unusual authentication events during the window your app ran on 10.0.0 through 10.0.6.
• Check affected configurations. Microsoft's original announcement lists specific platforms, packages, and application configurations. Review it against your deployment setup.

Running an automated scan against your deployed endpoints can also surface unexpected authentication behavior or misconfigured security headers that compound exposure. Run a free scan at /scan to check your application's current security posture.

For more context on ASP.NET Core security patterns and past vulnerabilities, see our ASP.NET security coverage on the blog.

Frequently Asked Questions

Does this affect .NET 8 or .NET 9 applications? No. CVE-2026-40372 is specific to Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6. Applications running on earlier .NET versions are not affected by this regression.

If I patch to 10.0.7, do I still need to rotate the key ring? Yes. The patch fixes the validation logic going forward, but any tokens issued to an attacker while the bug was active remain valid until the key ring is rotated. Skipping rotation leaves a remediation gap.

How do I know if an attacker exploited this against my app? Check authentication logs for privilege escalation events or unexpected privileged sessions during the period your app ran on the vulnerable version. Look for accounts accessing admin-level resources they would not normally touch, and review any password reset or API key issuance events from that window.

Scan your ASP.NET application now for security vulnerabilities at VibeWShield