Microsoft Issues Emergency Patches for Critical ASP.NET Core Vulnerability

Microsoft has issued out-of-band security updates for a critical vulnerability in ASP.NET Core that could allow unauthenticated attackers to gain SYSTEM privileges The flaw, tracked as CVE-2026-40372, resides in the ASP.NET Core Data Protection cryptographic APIs. Microsoft said a regression in the Microsoft.AspNetCore.DataProtection NuGet packages for versions 10.0.0 through 10.0.6 causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong The broken validation could allow an attacker to forge payloads that pass authenticity checks and decrypt previously-protected data in auth cookies, antiforgery tokens, TempData, and OIDC state. If an attacker authenticated as a privileged user during the vulnerable window, they could induce the application to issue legitimately-signed tokens to themselves. Those tokens remain valid after upgrading to version 10.0.7 unless the DataProtection key ring is rotated. Microsoft discovered the flaw after user reports that decryption was failing following the .NET 10.0.6 update released during this month's Patch Tuesday. Senior program manager Rahul Bhandari urged customers to update to version 10.0.7 and redeploy to fix the validation routine.