Microsoft has released out-of-band (OOB) security updates to address an elevation of privilege vulnerability in ASP.NET Core.
A security flaw (tracked as CVE-2026-40372) was discovered in the cryptographic APIs of ASP.NET Core Data Protection, and could allow unauthorized attackers to gain SYSTEM privileges on affected devices by forging authentication cookies.
Microsoft discovered the bug following user reports that decryption was failing on their apps after installing the .NET 10.0.6 update release during this month’s Patch Tuesday.
“A flaw in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet package causes the trusted encryptor to concatenate its HMAC authentication token over invalid bytes of the payload and discard the calculated hash in some cases,” Microsoft says in the .NET 10.0.7 release notes
“In these cases, broken authentication can allow an attacker to create payloads that pass DataProtection’s authentication checks, and decrypt payloads previously protected by auth cookies, antiforgery tokens, TempData, OIDC status, etc.
“If an attacker used fake payloads to authenticate as a privileged user within the vulnerable window, they may have persuaded the application to issue legitimately signed tokens (refresh time, API key, password reset link, etc.) to them. Those tokens remain valid after upgrading to 10.0.7 unless the Data Rotation key is the key.”
As Microsoft also explained in Tuesday’s security advisory, this vulnerability would enable attackers to expose files and modify data, but would not be able to affect system availability.
On Tuesday, senior program manager Rahul Bhandari warned all customers with applications that use ASP.NET Core Data Protection to update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible, then redistribute it to fix the authentication mechanism and ensure that any fraudulent payments are automatically rejected.
More information about affected platforms, packages, and app configurations can be found in the original announcement.
In October, Microsoft also patched an HTTP request hijacking bug (CVE-2025-55315) in the Kestrel web server that had been flagged with the “highest” severity rating for an ASP.NET Core security flaw.
Successful exploitation of CVE-2025-55315 allows authorized attackers to hijack other users’ credentials, bypass previous security controls, or crash a server.
On Monday, Microsoft released another set of out-of-band updates to address issues affecting Windows Server systems after installing the April 2026 security updates.
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
