Microsoft Issues Emergency Patches for Critical ASP.NET Core Cryptographic Flaw

Microsoft released emergency out-of-band security updates to address a critical elevation of privilege vulnerability in ASP.NET Core. 

The flaw is tracked as CVE-2026-40372 (CVSS score 9.1), an improper verification of cryptographic signature in the Microsoft.AspNetCore.DataProtection NuGet packages (v10.0.0 to 10.0.6) that allows unauthenticated attackers to forge authentication payloads. The vulnerability occurs because the managed authenticated encryptor computes its HMAC validation tag over incorrect payload bytes and occasionally discards the hash entirely. Attackers can use this flaw to bypass authenticity checks and gain SYSTEM privileges on affected devices.

This issue was identified after users reported decryption failures following the installation of the .NET 10.0.6 update, leading to the discovery of a broken validation routine in the authentication stack.

Exploiting these flaws allows attackers to decrypt protected payloads and forge identity tokens, potentially leading to unauthorized file disclosure, access to auth cookies, CSRF tokens, session refresh tokens, API keys and data modification. 

The vulnerability impacts applications using the Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6. Windows deployments are generally protected by default CNG-based encryptors, applications running on Linux and macOS are highly vulnerable. 

Additionally, any Windows application that explicitly opted into managed cryptographic algorithms via UseCustomCryptographicAlgorithms or runs on older frameworks like .NET 4.6.2 is at risk.

Organizations must upgrade the Microsoft.AspNetCore.DataProtection package to version 10.0.7 and redeploy their applications immediately. Because forged tokens may have been issued during the vulnerable window, administrators should rotate the DataProtection key ring to invalidate existing sessions.