Microsoft Releases Emergency Patch for Critical ASP.NET Core Data Protection Flaw

Microsoft has released an out-of-band .NET 10.0.7 update to fix CVE-2026-40372, a critical ASP.NET Core elevation of privilege vulnerability tied to the platform’s Data Protection cryptographic APIs. The flaw affects Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6 and can allow an unauthenticated attacker to elevate privileges over a network.

The issue is serious because ASP.NET Core Data Protection helps protect authentication cookies, antiforgery tokens, TempData, OpenID Connect state, and other application payloads. Microsoft says the bug could allow forged payloads to pass authenticity checks, which can undermine security decisions made by affected web applications.

Microsoft discovered the vulnerability while investigating customer reports that decryption was failing after the .NET 10.0.6 Patch Tuesday release. The company says the emergency update fixes both the decryption regression and the security issue.

What CVE-2026-40372 does

CVE-2026-40372 sits in the Microsoft.AspNetCore.DataProtection package, which developers use to protect sensitive application state. NVD describes the flaw as improper verification of a cryptographic signature in ASP.NET Core that allows an unauthorized attacker to elevate privileges over a network.

Microsoft’s release notes give the technical reason. A regression in Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6 can make the managed authenticated encryptor compute the HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases.

That means an affected application may accept forged data as valid. Microsoft says the broken validation can allow attackers to forge payloads that pass Data Protection authenticity checks and decrypt previously protected payloads used in authentication cookies, antiforgery tokens, TempData, OIDC state, and similar flows.

Why the bug matters for ASP.NET Core apps

The main risk is trust failure inside web applications. Data Protection exists to help an application store or send protected data and later confirm that it has not been modified by someone else.

When that check breaks, attackers can target application state that should have remained private and tamper-resistant. In a real deployment, that can affect login sessions, account flows, form protections, and other features that depend on protected payloads.

Microsoft also warns that forged payloads may have lasting consequences. If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, the application may have issued legitimately signed tokens, such as session refresh tokens, API keys, or password reset links. Those tokens may stay valid after upgrading unless the Data Protection key ring is rotated.

At a glance

Item	What current reporting shows
Vulnerability	CVE-2026-40372
Product area	ASP.NET Core Data Protection
Affected package	Microsoft.AspNetCore.DataProtection
Affected versions	10.0.0 through 10.0.6
Fixed version	10.0.7
Release type	Out-of-band security update
Vulnerability type	Improper cryptographic signature verification
CVSS score	9.1, Critical
Attack requirements	Network access, no authentication, no user interaction
Main risk	Forged protected payloads and privilege escalation
Microsoft guidance	Update to 10.0.7, rebuild, and redeploy

What Microsoft patched

Microsoft released .NET 10.0.7 on April 21 as an out-of-band update. The company says applications using ASP.NET Core Data Protection should update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible.

The installation guidance is direct. Developers should install the .NET 10.0.7 SDK or Runtime, confirm the update with dotnet --info, then rebuild and redeploy applications using updated images or packages.

The update matters most for applications that use the affected NuGet package directly or through another dependency. Developers should also check deployment images, container builds, and package lock files to make sure the vulnerable package version does not remain in production.

What remains important after patching

Patching fixes the validation issue going forward. It may not automatically invalidate every token or artifact that an application issued during the vulnerable window.

Microsoft specifically warns that some legitimately signed tokens issued after forged authentication may remain valid after the upgrade unless the Data Protection key ring is rotated. That makes key rotation an important follow-up step for teams that believe their applications were exposed.

Security teams should review logs for unusual authentication activity, suspicious password reset flows, unexpected API key creation, or abnormal session refresh behavior around the period when affected versions were deployed.

What developers should do now

• Update Microsoft.AspNetCore.DataProtection to 10.0.7 as soon as possible.
• Install the .NET 10.0.7 SDK or Runtime where required.
• Rebuild and redeploy affected applications, containers, and packages.
• Run dotnet --info to confirm the updated runtime.
• Check dependency trees for direct or transitive use of Microsoft.AspNetCore.DataProtection.
• Rotate the Data Protection key ring if forged authentication may have occurred.
• Review authentication, password reset, API token, and session logs for suspicious activity.

FAQ