Skip to main content
CybersecurityVulnerability Management

Microsoft Disrupts ASP.NET Flaw Allowing SYSTEM Privilege Escalation

Close-up of laptop screen with code, developer in background looks on with concern.
"A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases," Microsoft says in the .NET 10.0.7 release notes.

CVE-2026-40372: what the bug does

Microsoft has released out-of-band security updates to patch a critical ASP.NET Core privilege escalation vulnerability tracked as CVE-2026-40372. The flaw sits in the ASP.NET Core Data Protection cryptographic APIs. According to Microsoft, the bug can allow unauthenticated attackers to forge authentication cookies and thereby gain SYSTEM privileges on affected devices.

Technically, the regression causes the managed authenticated encryptor to compute an HMAC validation tag over the wrong bytes of the payload and, in some cases, to discard that computed hash. Where validation is broken in this way, an attacker can forge payloads that will pass DataProtection’s authenticity checks and can also decrypt previously protected payloads such as authentication cookies.

Which packages and tokens are affected

Microsoft identifies the problem as present in Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 distributed via NuGet. The company lists several common DataProtection consumers that could be affected: authentication cookies, antiforgery tokens, TempData, and OIDC state. Microsoft further warns that an attacker who used forged payloads to authenticate as a privileged user during the vulnerable window might induce an application to issue legitimately signed tokens — session refresh tokens, API keys, password reset links and similar artifacts.

Crucially, Microsoft notes that tokens issued during the vulnerable window remain valid after upgrading to .NET 10.0.7 unless the DataProtection key ring is rotated. That caveat makes post-patch key rotation a material step for organizations seeking to render forged or illicitly obtained tokens unusable.

Microsoft’s response and operational guidance

Microsoft released the .NET 10.0.7 update out of band after user reports that decryption stopped working in applications following the .NET 10.0.6 update released during this month’s Patch Tuesday. In an accompanying security advisory published Tuesday, Microsoft said the vulnerability can also enable attackers to disclose files and modify data; it said attackers could not impact system availability through this flaw.

Senior program manager Rahul Bhandari warned customers whose applications use ASP.NET Core Data Protection to update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible and then redeploy. That redeploy step, Microsoft explains, fixes the validation routine so that forged payloads are rejected automatically. Microsoft also points customers to the original announcement for further platform-, package-, and configuration-specific details.

What this means for technologists, enterprises, and adversaries

  • Technologists and security teams: Immediately upgrade the Microsoft.AspNetCore.DataProtection package to 10.0.7 and redeploy applications. After patching, rotate the DataProtection key ring if there is any risk that forged or previously decrypted tokens were issued; otherwise, those tokens remain valid despite the update.
  • Affected enterprises and procurement leaders: Audit applications that consume ASP.NET Core Data Protection — especially those issuing session refresh tokens, API keys, password reset links, or relying on TempData and antiforgery tokens — and confirm both the package level and that redeployments have completed across environments.
  • Adversaries and threat actors: The vulnerability offers a path to privilege escalation without authentication by forging DataProtection payloads. Microsoft’s advisory reframes the window of risk: exploitation during the vulnerable period can produce legitimately signed tokens that survive a later patch unless the key ring is rotated.

Related patches and the update cadence

This emergency update follows other high-severity fixes from Microsoft. In October, Microsoft patched an HTTP request smuggling bug in the Kestrel web server (CVE-2025-55315) that the company described as the "highest ever" severity rating for an ASP.NET Core security flaw; successful exploitation allowed authenticated attackers to hijack other users' credentials, bypass front-end security controls, or crash the server. Separately, Microsoft released another set of out-of-band updates on Monday to address issues affecting Windows Server systems after the April 2026 security updates.

The sequence — Patch Tuesday followed by emergent out-of-band fixes — highlights how quickly a regression in a core cryptographic routine can ripple through dependent applications and demand immediate corrective action.

Microsoft’s fix closes the validation defect in the runtime, but the company’s own notes leave a clear operational choice: upgrading to 10.0.7 repairs the validator going forward; rotating the DataProtection key ring is required to invalidate any tokens issued or forged during the vulnerable window. Which of those steps organizations prioritize will determine whether an exploit remains a historical incident or a continuing risk.

Original story