Follow 
Microsoft has released out-of-band updates for CVE-2026-40372, a high-impact ASP.NET Core privilege-escalation vulnerability tied to the platform’s Data Protection cryptographic APIs. Public reporting says the flaw carries a CVSS score of 9.1 and could allow an unauthenticated attacker to forge authentication material and ultimately obtain SYSTEM privileges on affected systems.
The issue stands out not only because of its severity, but also because it was serious enough to trigger an emergency release outside the normal patch cycle. BleepingComputer reports Microsoft investigated after customers saw decryption failures following the .NET 10.0.6 update, while The Hacker News notes the bug was reported by an anonymous researcher and fixed in ASP.NET Core 10.0.7.
CVE-2026-40372 Analysis
According to Microsoft details cited by both publications, CVE-2026-40372 stems from improper verification of a cryptographic signature in ASP.NET Core. More specifically, the affected Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 NuGet packages could compute the HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases. That breaks the trust model behind protected application data and opens the door to forged payloads that pass authenticity checks.
The attack surface is narrower than a generic “all ASP.NET Core apps are vulnerable” headline might suggest. The Hacker News says successful exploitation depends on three conditions: the application must use Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet either directly or through a dependent package, the NuGet copy must actually be loaded at runtime, and the application must run on Linux, macOS, or another non-Windows operating system.
If those conditions are met, the impact can be severe. The affected validation routine may let an attacker forge payloads and decrypt previously protected values stored in items such as authentication cookies, antiforgery tokens, TempData, and OpenID Connect state. Microsoft also says exploitation could enable file disclosure and data modification, although it does not affect availability.
The most dangerous enterprise scenario is privilege escalation through trust abuse rather than noisy code execution. If an attacker can authenticate as a privileged user during the vulnerable window, the application may issue legitimately signed follow-on artifacts to the attacker, including refreshed sessions, API keys, or password-reset links. Those artifacts can remain valid even after the package is upgraded unless defenders also rotate the Data Protection key ring.
CVE-2026-40372 Mitigation
The primary fix is straightforward: update Microsoft.AspNetCore.DataProtection to version 10.0.7 and redeploy affected applications. Microsoft’s guidance, as quoted by BleepingComputer, is to apply the new package as soon as possible so the broken validation routine is corrected and forged payloads are rejected going forward.
That said, patching alone may not fully close the exposure. Both reports note that tokens issued during the vulnerable period can remain valid after upgrading unless the Data Protection key ring is rotated. In practice, organizations should treat key rotation as part of the remediation workflow, especially for internet-facing apps that rely heavily on cookies, antiforgery tokens, password-reset flows, or other signed application state. That last prioritization is an operational inference based on the affected token types and exploit preconditions.
A practical response plan is to identify non-Windows ASP.NET Core applications that loaded the vulnerable NuGet package at runtime, patch them to 10.0.7, rotate the Data Protection key ring, and review whether privileged sessions or other signed artifacts may have been issued while the application was exposed. Where feasible, teams should also consider expiring or reissuing sensitive session material after remediation. The package-and-runtime triage criteria come directly from Microsoft’s published conditions; the token review and reissuance step is a reasonable defensive inference from Microsoft’s warning that legitimately signed tokens may survive the upgrade.
Additionally, by leveraging SOC Prime’s AI-Native Detection Intelligence Platform backed by top cyber defense expertise, global organizations can adopt a resilient security posture and transform their SOC to always stay ahead of emerging threats tied to zero-day exploitation.
FAQ
What is CVE-2026-40372 and how does it work?
CVE-2026-40372 is an ASP.NET Core privilege-escalation flaw in the Data Protection cryptographic APIs. The affected packages can validate the wrong bytes and discard the computed HMAC in some cases, which can let attackers forge protected payloads and abuse application trust mechanisms such as authentication cookies and other signed state.
When was CVE-2026-40372 first discovered?
The precise private discovery date is not stated in the two reports. What is public is that Microsoft released out-of-band fixes on April 22, 2026, and BleepingComputer says Microsoft began investigating after customers reported decryption failures following the .NET 10.0.6 update. The Hacker News also says an anonymous researcher was credited with reporting the flaw.
What is the impact of CVE-2026-40372 on systems?
Successful exploitation can allow forged payloads, disclosure of protected data, file disclosure, data modification, and privilege escalation up to SYSTEM on affected systems. The reports also note that availability is not impacted.
Can CVE-2026-40372 still affect me in 2026?
Yes. Systems may still be exposed in 2026 if they continue to run the vulnerable Data Protection package under the affected conditions, especially on Linux, macOS, or other non-Windows hosts. Even after patching, artifacts issued during the vulnerable window may remain valid until the Data Protection key ring is rotated.
How can I protect myself from CVE-2026-40372?
Update Microsoft.AspNetCore.DataProtection to 10.0.7, redeploy affected applications, rotate the Data Protection key ring, and review whether sensitive signed artifacts such as authentication cookies, refresh sessions, API keys, or reset links should be invalidated or reissued. The package update and key-ring rotation are directly supported by Microsoft’s guidance; invalidation and reissuance are prudent follow-on actions based on the risk Microsoft described.
