Security & Infrastructure Tools
Microsoft Releases Emergency Patches for Critical ASP.NET Core Privilege Escalation Flaw
Microsoft issued out-of-band security updates to patch a critical ASP.NET Core Data Protection vulnerability (CVE-2026-40372) that could allow attackers to forge authentication cookies and escalate to SYSTEM privileges. The flaw stems from a regression in DataProtection packages 10.0.0–10.0.6, where the HMAC validation used the wrong bytes, enabling forged payloads to bypass authenticity checks and decrypt prior payloads in auth cookies, antiforgery tokens, TempData, and OIDC state. If exploited, attackers could impersonate a privileged user and cause the app to issue legitimately signed tokens to themselves; those tokens remain valid after upgrading unless the DataProtection key ring is rotated. Microsoft urges updating Microsoft.AspNetCore.DataProtection to 10.0.7 and redeploying to reject forged payloads, and to rotate the key ring to invalidate any minted tokens. The advisory notes the vulnerability can also enable file disclosure and data modification, without impacting system availability. Related context includes earlier CVE-2025-55315 and other Windows Server updates released in April 2026.
TechLogHub
April 22, 2026
0 views
- Executive Summary
- Microsoft released out-of-band security updates to fix a critical privilege-escalation flaw in ASP.NET Core’s Data Protection APIs.
- The vulnerability, tracked as CVE-2026-40372, could let unauthenticated attackers forge authentication cookies and obtain SYSTEM-level privileges on affected systems.
- The issue traces back to a regression in the DataProtection component that affected how the HMAC tag was computed for payloads, allowing potential payload forgery and unauthorized decryption.
- A patched version, ASP.NET Core DataProtection 10.0.7, was issued to correct the validation routine and reject forged payloads during authentication.
- Technical Background
- A regression in the Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6 packages caused the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload.
- In certain conditions, the incorrect tag could be discarded, enabling attackers to forge payloads that pass DataProtection’s authenticity checks.
- Forged payloads could be used to decrypt previously protected data in cookies, antiforgery tokens, TempData, OIDC state, and other protected items.
- If an attacker exploited the window before the upgrade, they might trigger tokens to be issued that appear legitimate (session refresh tokens, API keys, password reset links, etc.) that would remain valid after upgrading unless keys were rotated.
- Impact Scope and Affected Scenarios
- Affected components: ASP.NET Core Data Protection APIs and related NuGet packages in the 10.0.x series (notably 10.0.0–10.0.6).
- Potential impact: unauthorized access, data exposure, and the ability to decrypt tokens or cookies that previously trusted data protections.
- Observable symptoms: failures in decryption after certain updates, and the appearance of forged or unexpectedly valid tokens if forged payloads were accepted prior to patch deployment.
- The Patch and Release Details
- Patch designation: DataProtection package updated to version 10.0.7 as part of the out-of-band fixes.
- Release notes indicate a correction to the HMAC validation process, preventing forged payloads from bypassing authenticity checks.
- Redeployment guidance (as noted by Microsoft): upgrade to 10.0.7 and redeploy to ensure forged payloads are rejected automatically.
- A key-rotation caveat: even after upgrading, tokens issued while the regression existed may remain valid unless the DataProtection key ring is rotated, highlighting the importance of key management following patching.
- Related Security Advisories and Context
- In addition to the ASP.NET Core issue, a separate advisory described an HTTP request smuggling vulnerability in the Kestrel web server (CVE-2025-55315) with a high severity rating, capable of credential hijacking or service disruption.
- Microsoft also issued out-of-band updates for Windows Server systems after the April 2026 security updates, addressing issues that arose from those patches.
- The broader security landscape at the time included other disclosures and ongoing efforts to mitigate multiple zero-days and bypass vectors across Microsoft technologies.
- Timeline of Key Events
- Initial discovery: Reports indicated decryption failures in applications following the .NET 10.0.6 update, triggering a closer look at the Data Protection internals.
- Advisory release: Microsoft published a security advisory detailing the vulnerability, its impact, and recommended mitigations.
- Patch release: An out-of-band update to the ASP.NET Core Data Protection package was issued, upgrading to version 10.0.7 to fix the flawed validation path.
- Post-patch considerations: Administrators were cautioned that tokens issued before key rotations could still be valid, underscoring the need for DataProtection key-rotation practices after patching.
- Related fixes: Additional mitigations were rolled out for other ASP.NET Core and Windows Server issues in parallel with the broader security patch cycle.
- Practical Implications for Affected Environments
- Systems relying on ASP.NET Core Data Protection for authentication and token handling should track patch availability and plan for a version upgrade to 10.0.7 or later.
- After upgrading, organizations should perform key-rotation for DataProtection keys to invalidate any previously issued tokens that might be affected by forged payloads.
- Applications using cookies, antiforgery tokens, TempData, or OpenID Connect state data should be evaluated for potential exposure risks during the vulnerable window and remediated through patch application and key management.
- Additional Notes and Observations
- The vulnerability demonstrates how subtle changes in cryptographic tag computation can have far-reaching effects on authentication and data confidentiality.
- The combination of forged payloads with existing tokens could lead to scenarios where attackers gain authorized access without direct credential compromise, highlighting the importance of timely patching and diligent key lifecycle management.
- Industry conversations at the time emphasized the importance of rapid response to out-of-band fixes and the need for robust monitoring to detect anomalous token usage following patch deployments.
- Summary of Key Takeaways
- A critical ASP.NET Core Data Protection flaw (CVE-2026-40372) allowed potential privilege escalation through forged authentication payloads due to a regression in HMAC validation.
- The official fix is the 10.0.7 release of the DataProtection package, accompanied by guidance to rotate keys to mitigate any pre-patch token validity.
- Additional related advisories, including Kestrel HTTP request smuggling (CVE-2025-55315) and Windows Server patch considerations, formed part of the broader security response in this period.
Published by TechLogHub