Skip to content
Tech News
← Back to articles

Microsoft releases emergency patches for critical ASP.NET flaw

2026-04-22 | original
read original get Microsoft Security Patch Kit → more articles
Why This Matters

Microsoft has issued urgent security patches for a critical ASP.NET Core vulnerability (CVE-2026-40372) that could allow attackers to escalate privileges by forging authentication cookies. This flaw poses a significant risk to application security, potentially enabling unauthorized access and data manipulation, making timely updates essential for developers and organizations relying on ASP.NET Core. The update underscores the importance of rapid response to security vulnerabilities to protect sensitive data and maintain system integrity in the tech industry.

Key Takeaways

Microsoft has released out-of-band (OOB) security updates to patch a critical ASP.NET Core privilege escalation vulnerability.

The security flaw (tracked as CVE-2026-40372) was found in the ASP.NET Core Data Protection cryptographic APIs, and it could allow unauthenticated attackers to gain SYSTEM privileges on affected devices by forging authentication cookies.

Microsoft discovered the flaw following user reports that decryption was failing in their applications after installing the .NET 10.0.6 update release during this month's Patch Tuesday.

"A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases," Microsoft says in the .NET 10.0.7 release notes.

"In these cases, the broken validation could allow an attacker to forge payloads that pass DataProtection's authenticity checks, and to decrypt previously-protected payloads in auth cookies, antiforgery tokens, TempData, OIDC state, etc.

"If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves. Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated."

As Microsoft further explained in a Tuesday security advisory, this vulnerability can also enable attackers to disclose files and modify data, but they cannot impact the system's availability.

On Tuesday, senior program manager Rahul Bhandari warned all customers whose applications use ASP.NET Core Data Protection to update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible, then redeploy to fix the validation routine and ensure that any forged payloads are rejected automatically.

More information regarding affected platforms, packages, and application configuration can be found in the original announcement.

In October, Microsoft also patched an HTTP request smuggling bug (CVE-2025-55315) in the Kestrel web server that was flagged with the "highest ever" severity rating for an ASP.NET Core security flaw.

... continue reading

Explore topics: microsoft asp.net core data protection cve-2026-40372 nuget
Related:
Bring your own Agent to MS Teams
LinkedIn’s CEO is moving on; please hold your tearful video tributes
Microsoft issues emergency update for macOS and Linux ASP.NET threat
You’ll soon be able to use Google Meet’s note-taking tool during in-person meetings
Microsoft's LinkedIn names longtime exec Dan Shapero its new CEO

© 2026 GoKawiil

About | Editorial Policy | Contact