Microsoft Patches ASP.NET Core Privilege Escalation CVE-2026-40372
Contents
On April 21, Microsoft shipped an emergency patch for a cryptographic signature validation flaw in the ASP.NET Core Data Protection API.
Tracked as CVE-2026-40372, the vulnerability carries a CVSS score of 9.1 and allows unauthenticated privilege escalation.
Vulnerability Summary
CVE-2026-40372 stems from a regression in the cryptographic verification logic of the Managed Authenticated Encryptor in the Microsoft.AspNetCore.DataProtection package.
| Item | Details |
|---|---|
| Vulnerability class | Improper verification of cryptographic signature (CWE-347) |
| CVSS v3.1 score | 9.1 |
| Attack vector | Network (no authentication required) |
| Attack complexity | Low (no preconditions) |
| Scope | Unchanged |
| Confidentiality impact | High (tokens and credentials disclosure) |
| Integrity impact | High (token forgery) |
| Availability impact | None |
Root Cause and Attack Mechanics
The HMAC verification logic in the Data Protection API is broken in three distinct ways.
| Defect | Detail |
|---|---|
| Wrong region hashed | HMAC was computed over only part of the payload |
| Computed hash discarded | The HMAC was calculated and then thrown away without being checked |
| Verification path missing | A code path existed that skipped MAC verification entirely |
Combined, these defects let an attacker decrypt protected payloads via a padding oracle attack and mint forged authentication tokens at will.
Plausible Attack Scenarios
| Attack | Impact |
|---|---|
| Forged authentication cookie | Decrypt an existing cookie and impersonate any user |
| Anti-forgery (CSRF) token generation | Bypass form-submission protection and execute unauthorized actions |
| Privilege escalation | Mint a token granting administrator rights and obtain SYSTEM-level access |
| Forged API keys / password reset tokens | Issue arbitrary long-lived tokens at the attacker’s discretion |
Affected Versions
| Component | Vulnerable | Fixed | Notes |
|---|---|---|---|
| Microsoft.AspNetCore.DataProtection | 10.0.0 – 10.0.6 | 10.0.7 and later | All platforms |
| .NET 8.0.x | Not affected | — | Vulnerable code path absent |
| .NET 9.0.x | Not affected | — | Vulnerable code path absent |
The regression was introduced in the early development phase of .NET 10.0 and is not present in the .NET 8.x or 9.x servicing branches.
As a result, the only at-risk targets are applications running .NET 10.0 on non-Windows hosts such as Linux. ASP.NET Core deployments on Windows hosts run a configuration that does not hit this regression.
Patch and Remediation
| Item | Details |
|---|---|
| Fixed version | Microsoft.AspNetCore.DataProtection 10.0.7 or later |
| Release type | Out-of-band (emergency security update) |
| Released on | April 21, 2026 |
Applying the Update
# Update via dotnet CLI
dotnet package update Microsoft.AspNetCore.DataProtection --version 10.0.7
# From the Visual Studio Package Manager
Update-Package Microsoft.AspNetCore.DataProtection -Version 10.0.7Verifying the Fix
dotnet list package --include-transitive | grep DataProtection
# Confirm that Microsoft.AspNetCore.DataProtection is 10.0.7 or laterSwapping the package alone leaves the old code resident in any process that wasn’t restarted, so redeploy the entire application.
What to Check in Production
Validity of Existing Tokens
Even after the patch, long-lived tokens issued during the vulnerable window will still be accepted as long as their expiration hasn’t lapsed.
Treat session cookies, API keys, and persistent tokens issued in that period as suspect and reissue them.
Rotating the Data Protection Keys
| Step | Action |
|---|---|
| Audit | Enumerate long-lived tokens issued through April 21, 2026 |
| Regenerate keys | Create new Data Protection keys |
| Invalidate existing tokens | Revoke tokens signed with the old keys and force users to re-authenticate |
| Tighten lifetimes | Consider shortening session lifetimes (for example, to 24 hours or less) |
Reviewing Security Logs
Look for traces of exploitation along these lines.
- Web server logs: unusual access to administrative paths from suspicious source IPs
- Security event logs: abrupt elevations of user privileges
- Authentication logs: bursts of failed attempts that look like a padding oracle probe
Status and Disclosure
There are no reports of exploitation in the wild at this point. Given the CVSS 9.1 severity, however, public proof-of-concept code and weaponized exploits should be assumed to be only a matter of time.
The reporter is an anonymous researcher who notified Microsoft ahead of the patch release. Their name and affiliation are not part of the public record.