Microsoft Releases Emergency Patches for Critical ASP.NET Core Flaw

What happened

Microsoft has released an out-of-band security update to patch a critical privilege escalation vulnerability in ASP.NET Core, tracked as CVE-2026-40372, after users reported decryption failures following the .NET 10.0.6 update released during April’s Patch Tuesday.

The flaw exists in the ASP.NET Core Data Protection cryptographic APIs and stems from a regression introduced in Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6. The broken validation logic causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in certain cases. The practical result is that unauthenticated attackers can forge payloads that pass Data Protection’s authenticity checks and decrypt previously protected payloads in authentication cookies, antiforgery tokens, TempData, OIDC state, and similar constructs. Successful exploitation can allow attackers to gain SYSTEM privileges, disclose files, and modify data.

Microsoft has flagged a specific post-patch risk that requires additional action: if an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, the application may have issued legitimately signed tokens, including session tokens, API keys, and password reset links, to the attacker. Those tokens remain valid after upgrading to 10.0.7 unless the Data Protection key ring is rotated. Microsoft recommends updating to version 10.0.7 and redeploying to restore correct validation, followed by key ring rotation to invalidate any tokens issued during the exposure window.

This is the second significant ASP.NET Core vulnerability disclosed in recent months. In October, Microsoft patched an HTTP request smuggling flaw in the Kestrel web server rated with the highest ever severity for an ASP.NET Core security issue.

Who is affected

Any application running ASP.NET Core Data Protection versions 10.0.0 through 10.0.6 is directly exposed. Organizations that applied the .NET 10.0.6 Patch Tuesday update without yet installing the emergency 10.0.7 release remain vulnerable. Applications using authentication cookies, antiforgery tokens, OIDC state, or TempData are all within the attack surface.

Why CISOs should care

The regression was introduced by a routine Patch Tuesday update, which means organizations that followed standard patching practices are the ones now running vulnerable code. That is an uncomfortable dynamic. The post-patch guidance adds a second layer of urgency: patching alone does not close the exposure if attackers have already used forged credentials to obtain legitimately signed tokens. Key ring rotation is not optional for organizations that cannot rule out exploitation during the vulnerable window.

3 practical actions

1. Update Microsoft.AspNetCore.DataProtection to version 10.0.7 immediately and redeploy: This restores correct HMAC validation and ensures forged payloads are rejected. Patching without redeployment does not activate the fix.
2. Rotate the Data Protection key ring after upgrading: Any tokens, session credentials, API keys, or password reset links issued to potentially forged sessions during the vulnerable window remain valid until the key ring is rotated. This step is mandatory for organizations that cannot confirm they were not targeted during the exposure period.
3. Audit authentication logs for anomalous privileged session activity during the vulnerable window: Review logs from the period between the .NET 10.0.6 deployment and the 10.0.7 upgrade for unusual authentication patterns, unexpected privilege escalations, or token issuance to unfamiliar accounts that may indicate exploitation occurred.