Microsoft has released an emergency, out‑of‑band security update to fix a critical vulnerability in the widely used web framework ASP.NET Core, urging organisations to patch immediately. The flaw, tracked as CVE‑2026‑40372, affects the ASP.NET Core Data Protection cryptographic component and could allow unauthenticated attackers to forge authentication cookies and escalate privileges to the SYSTEM level.
The vulnerability is rated 9.1 on the CVSS scale, reflecting a high‑impact, network‑based privilege‑escalation risk. Microsoft has described the issue as a cryptographic flaw in the HMAC validation logic within the Data Protection API, which underpins features such as authentication cookies, antiforgery tokens, TempData, and other sensitive payloads.
How the Flaw Works
The weakness emerged after the release of .NET 10.0.6, when users reported decryption failures in their ASP.NET Core applications. Microsoft’s investigation found that the Microsoft.AspNetCore.DataProtection packages from versions 10.0.0 to 10.0.6 incorrectly compute or discard HMAC validation tags in some cases, allowing an attacker to craft payloads that pass integrity checks when they should not.
Attackers could exploit this to
- Forge authentication cookies and impersonate legitimate users,
- Access antiforgery tokens and session data, and
- Obtain password reset links, API keys, and session tokens that applications would treat as genuine.
If an attacker successfully exploited the vulnerability during the exposure window, any tokens legitimately issued to them could remain valid even after the system is patched, unless the Data Protection key ring is rotated.
Impact, Fix, and Mitigation
Microsoft’s advisory makes clear that the vulnerability can enable attackers to read, disclose, and modify sensitive data but does not directly impact system availability. The company stresses that the risk is highest for applications that use Microsoft.AspNetCore.DataProtection 10.0.x on Linux, macOS, or other non‑Windows platforms, though the underlying package is used widely across enterprise web and API services.
The fix is contained in .NET 10.0.7, where Microsoft has corrected the HMAC‑validation logic. The company strongly advises all developers and organisations to update the Microsoft.AspNetCore.DataProtection package to version 10.0.7, redeploy applications, and rotate their Data Protection key rings to invalidate potentially compromised tokens.
Security experts also recommend that affected organisations review logs for suspicious authentication activity, revoke existing session tokens, and enforce multi‑factor authentication and Zero Trust‑style controls for high‑privilege workflows.
