Microsoft Issues Emergency Patch for ASP.NET Core Data Protection Privilege Escalation
Microsoft released an out-of-band update for Microsoft.AspNetCore.DataProtection 10.0.7 to fix CVE-2026-40372, a critical ASP.NET Core elevation-of-privilege flaw caused by improper verification of cryptographic signatures (CWE-347). The regression affects package versions 10.0.0 through 10.0.6 and was uncovered while Microsoft investigated customer-reported decryption failures after the .NET 10.0.6 Patch Tuesday release. Microsoft said the bug in the managed authenticated encryptor could let unauthenticated attackers bypass HMAC validation, forge authentication cookies and other protected payloads, decrypt some protected data, and potentially authenticate as privileged users.
The vulnerability primarily affects applications running the vulnerable NuGet package at runtime on Linux, macOS, and other non-Windows systems, with some net462 and netstandard2.0 consumers also exposed; Microsoft said Windows deployments and the 8.0.x and 9.0.x branches are not affected under the described conditions. Because ASP.NET Core Data Protection is widely used for cookies, tokens, anti-forgery protections, TempData, and similar application state, successful exploitation can enable file disclosure and data modification without impacting availability. Microsoft urged organizations to upgrade to 10.0.7, rebuild and redeploy affected applications, rotate the DataProtection key ring, and audit long-lived tokens, API keys, password reset links, and logs because legitimately signed artifacts issued during exploitation may remain valid after patching.
Timeline
Apr 21, 2026
Microsoft releases emergency .NET 10.0.7 out-of-band security update
On April 21, 2026, Microsoft released the out-of-band .NET 10.0.7 and Microsoft.AspNetCore.DataProtection 10.0.7 update to fix CVE-2026-40372. Customers were urged to upgrade immediately, rebuild and redeploy affected applications, and verify runtime versions after installation.
Apr 21, 2026
Technical exploitation details for CVE-2026-40372 become public
Public reporting described how an unauthenticated attacker could tamper with a DataProtection payload, replace the final 32-byte HMAC with null bytes, and exploit flawed MAC validation to decrypt modified claims. The technique could produce forged principals and enable elevated or administrative access.
Apr 21, 2026
Microsoft publishes advisory and remediation guidance for affected apps
Microsoft's advisory identified the issue as CWE-347 with CVSS 8.1, noted that Linux, macOS, and some net462/netstandard2.0 consumers were primarily affected, and said Windows deployments and 8.0.x/9.0.x branches were not affected under the described conditions. It recommended upgrading to 10.0.7 or later, rotating the DataProtection key ring, and auditing long-lived tokens and logs for abuse.
Apr 21, 2026
Microsoft discloses CVE-2026-40372 in ASP.NET Core Data Protection
On April 21, 2026, Microsoft disclosed CVE-2026-40372, an ASP.NET Core elevation of privilege vulnerability affecting Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6. Microsoft said the flaw could let attackers forge authentication cookies, decrypt some protected payloads, and gain privileged access in affected deployments.
Apr 21, 2026
Users report decryption failures after .NET 10.0.6 Patch Tuesday update
Microsoft began investigating customer-reported decryption failures that appeared after installation of the .NET 10.0.6 Patch Tuesday update. The investigation led to discovery of a regression in ASP.NET Core Data Protection.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Affected Products
Sources
5 more from sources like cyber security news, bleeping computer, infoworld, microsoft developer blogs and msrc security advisories
Related Stories
Microsoft Patches Remote Denial-of-Service Vulnerabilities in .NET and ASP.NET Core
Microsoft published security advisories for two **Important** remote **denial-of-service (DoS)** vulnerabilities affecting **.NET** and **ASP.NET Core**: **CVE-2026-26127** and **CVE-2026-26130**. Both issues are scored **CVSS 3.1 7.5** with `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`, indicating network-reachable exploitation with low complexity, no privileges, and no user interaction, resulting in high availability impact. CVE-2026-26127 is described as a **.NET DoS** condition associated with **CWE-125 (Out-of-bounds Read)**, while CVE-2026-26130 is an **ASP.NET Core DoS** issue associated with **CWE-770 (Allocation of Resources Without Limits or Throttling)**. Organizations running internet-exposed or high-availability services on these frameworks should prioritize applying Microsoft’s updates and review service-level protections (e.g., request throttling and resource limits) where applicable to reduce DoS risk.
1 months ago
Microsoft March 2026 Patch Tuesday Fixes Two Zero-Days and Dozens of Vulnerabilities
Microsoft’s March 2026 Patch Tuesday shipped fixes for **79 vulnerabilities**, including **two zero-day flaws**. Public reporting and third-party patch reviews highlight a mix of *Important* and *Critical* issues across Microsoft’s ecosystem, including **.NET** (`CVE-2026-26127` DoS; `CVE-2026-26131` EoP), **Active Directory Domain Services** (`CVE-2026-25177` EoP), **ASP.NET Core** (`CVE-2026-26130` DoS), and multiple Azure components such as **ACI Confidential Containers** (`CVE-2026-23651`, `CVE-2026-26124` EoP; `CVE-2026-26122` information disclosure) and **Azure IoT Explorer** (`CVE-2026-26121` spoofing; `CVE-2026-23661/23662/23664` information disclosure). Independent analysis (ZDI and SANS ISC) corroborated the breadth of affected products and provided additional scoring/metadata, including CVSS ratings and exploitability flags. ZDI’s review also called out additional *Critical* items in the release such as **Microsoft Office RCE** (`CVE-2026-26110`, `CVE-2026-26113`) and other high-impact vulnerabilities, while SANS ISC’s Patch Tuesday coverage additionally noted bundled **Chromium**-tracked fixes (multiple `CVE-2026-3536` through `CVE-2026-3544` entries) that commonly map to Microsoft’s browser/embedded Chromium components. Organizations should prioritize patching systems exposed to untrusted content or authentication boundaries (e.g., Office, AD DS, Azure agents/extensions) and validate deployment coverage across both Windows and cloud-connected workloads.
1 months ago
Critical Request Smuggling Vulnerability in ASP.NET Core Kestrel Web Server
Microsoft has addressed a critical security vulnerability in the Kestrel web server component of ASP.NET Core, tracked as CVE-2025-55315, which received a CVSS severity score of 9.9—the highest ever assigned by Microsoft to a flaw in this framework. The vulnerability enables HTTP request smuggling, a technique where an attacker can embed a malicious request within a legitimate one, potentially bypassing authentication and other security controls. This flaw affects all currently supported versions of ASP.NET Core, including versions 8, 9, and 10, as well as the older ASP.NET Core 2.3 running on the Windows-only .NET Framework. According to Microsoft’s security advisory, the vulnerability allows authenticated attackers to exploit inconsistent HTTP request interpretation, leading to the bypass of security features over a network. Security program manager Barry Dorrans explained that a successful attack could allow an adversary to log in as a different user, circumvent cross-site request forgery (CSRF) protections, or perform injection attacks. The actual risk posed by this vulnerability is highly dependent on the specific application code and deployment configuration, with the most severe outcomes occurring in applications that do not properly validate or handle HTTP requests. Dorrans emphasized that while the vulnerability is serious, the likelihood of exploitation is reduced if applications are well-designed and if reverse proxies or gateways are used to filter out smuggled requests. The high CVSS score reflects the potential for a security feature bypass that changes the scope of access, rather than the likelihood of exploitation in all environments. Developers have sought clarification on what constitutes vulnerable application code, but Microsoft has indicated that any application performing authentication or access control based on HTTP requests could be at risk if not properly secured. Kestrel is widely used as the default web server for ASP.NET Core applications, both behind reverse proxies and as a direct-facing server, increasing the potential exposure. Microsoft’s patch addresses the underlying issue in Kestrel, and organizations are urged to apply updates promptly to mitigate the risk. The vulnerability highlights the importance of secure coding practices and the need for defense-in-depth measures, such as using reverse proxies to sanitize incoming requests. Security teams should review their ASP.NET Core deployments, especially those directly exposing Kestrel to the internet, to ensure they are not susceptible to request smuggling attacks. The incident underscores the evolving complexity of web application security and the critical role of timely patch management. Microsoft’s response demonstrates a commitment to transparency and rapid remediation for high-severity vulnerabilities in its ecosystem. Organizations leveraging ASP.NET Core should remain vigilant for further advisories and best practice recommendations from Microsoft and the broader security community.
1 months ago