Microsoft Releases Urgent Patch for Critical ASP.NET Core Vulnerability
Microsoft has issued an out-of-band security update to address a significant vulnerability in ASP.NET Core, identified as CVE-2026-40372. This flaw, with a CVSS score of 9.1 out of 10, poses a serious risk by potentially allowing unauthorized attackers to escalate their privileges over a network, potentially gaining SYSTEM-level access.
Understanding the Vulnerability
The core of this issue lies in the improper verification of cryptographic signatures within ASP.NET Core. Specifically, a regression in the Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 NuGet packages causes the managed authenticated encryptor to compute its HMAC validation tag over incorrect bytes of the payload. In some instances, the computed hash is discarded, leading to a scenario where attackers can forge payloads that pass DataProtection’s authenticity checks. This vulnerability can be exploited to decrypt previously protected payloads, such as authentication cookies and antiforgery tokens.
Conditions for Exploitation
For an application to be susceptible to this vulnerability, the following conditions must be met:
1. Use of Specific Library Versions: The application utilizes Microsoft.AspNetCore.DataProtection version 10.0.6 from NuGet, either directly or through dependencies like Microsoft.AspNetCore.DataProtection.StackExchangeRedis.
2. Runtime Loading of the Vulnerable Library: The NuGet version of the library is loaded during the application’s runtime.
3. Operating System Environment: The application operates on non-Windows platforms, such as Linux or macOS.
Potential Impact
If exploited, this vulnerability allows attackers to:
– Elevate Privileges: Gain SYSTEM-level privileges, providing extensive control over the affected system.
– Access Sensitive Data: Decrypt and access confidential information stored within authentication cookies and antiforgery tokens.
– Modify Data: Alter data within the application, potentially leading to data integrity issues.
Mitigation Steps
To protect against this vulnerability, Microsoft recommends the following actions:
1. Update to ASP.NET Core Version 10.0.7: Microsoft has addressed this issue in ASP.NET Core version 10.0.7. Developers should update their applications to this version promptly to mitigate the risk.
2. Rotate DataProtection Key Ring: If an attacker exploited the vulnerability to authenticate as a privileged user during the vulnerable period, they might have obtained legitimately signed tokens (e.g., session refresh tokens, API keys, password reset links). These tokens remain valid even after updating to version 10.0.7 unless the DataProtection key ring is rotated. Therefore, it’s crucial to rotate the key ring to invalidate any potentially compromised tokens.
Broader Context
This incident underscores the importance of vigilant patch management and the need for developers to stay informed about security updates. Microsoft’s proactive approach in releasing an out-of-band update highlights the severity of the issue and the company’s commitment to maintaining the security of its products.
In recent times, vulnerabilities in Microsoft’s products have been a focal point for attackers. For instance, in February 2026, Microsoft patched 59 vulnerabilities, including six zero-days that were actively exploited. Similarly, in April 2025, the company addressed 125 flaws, with one being actively exploited in the wild. These instances highlight the persistent threats targeting widely used software platforms and the necessity for timely updates and patches.
Conclusion
The CVE-2026-40372 vulnerability in ASP.NET Core serves as a critical reminder for organizations and developers to prioritize security updates and adhere to best practices in software development. By promptly updating to the latest versions and implementing recommended security measures, the risk of exploitation can be significantly reduced, ensuring the integrity and security of applications.
