Microsoft has released an emergency out of band update for .NET to address a critical security vulnerability affecting ASP.NET Core applications. The issue, tracked as CVE-2026-40372, relates to improper verification of cryptographic signatures within the ASP.NET Core Data Protection framework. The vulnerability was introduced as a regression in earlier .NET 10 releases and has prompted the release of .NET 10.0.7 to mitigate risk. This flaw impacts applications that rely on ASP.NET Core Data Protection for securing authentication cookies, antiforgery tokens, and other sensitive state data, particularly on non-Windows platforms. According to the National Vulnerability Database, the issue carries a CVSS v3.1 base score of 9.1, reflecting its high impact and network exploitable nature.

ASP.NET Core vulnerability technical details

CVE-2026-40372 arises from a flaw in the Microsoft.AspNetCore.DataProtection library, which provides authenticated encryption services to ASP.NET Core applications. In affected versions, a regression caused the managed authenticated encryptor to compute the HMAC validation tag over incorrect portions of the payload and, in some cases, discard the computed hash entirely. This behaviour breaks the integrity guarantees normally provided by the Data Protection API, allowing forged payloads to pass authenticity checks. The vulnerability is categorised as CWE 347, Improper Verification of Cryptographic Signature, and affects applications that load the vulnerable NuGet package at runtime. Exploitation is possible over the network without authentication, provided the application uses the affected library configuration. Microsoft has confirmed that the issue primarily affects deployments running on Linux, macOS, or other non-Windows operating systems, as well as certain cross target framework scenarios.

Affected products and versions include:

• Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6
• ASP.NET Core applications targeting .NET 10 that load the vulnerable Data Protection NuGet package
• Applications running on Linux, macOS, or non-Windows platforms, or consuming net462 or netstandard2.0 assets

Impact summary of CVE-2026-40372

From a technical perspective, successful exploitation of CVE-2026-40372 allows an attacker to forge authentication cookies or other protected payloads that the application will accept as legitimate. This can lead to elevation of privilege within the application context and, in some configurations, SYSTEM level access on the underlying host. Attackers may also be able to decrypt previously protected data, undermining confidentiality and integrity controls.

A notable aspect of this vulnerability is token persistence. Microsoft has advised that tokens issued during the vulnerable window may remain valid even after patching, unless cryptographic keys are rotated. From a business standpoint, exploitation could result in unauthorised access to sensitive data, account compromise, regulatory exposure, and loss of trust in affected services. Organisations operating cloud hosted or containerised ASP.NET Core workloads may face additional operational risk due to the need for rapid rebuild and redeployment. While there is no confirmed widespread exploitation at the time of publication, the severity and nature of the flaw warrant immediate attention.

Microsoft has released .NET 10.0.7 as an out of band security update to address CVE-2026-40372. Organisations should update the Microsoft.AspNetCore.DataProtection package to version 10.0.7 or later, rebuild affected applications, and redeploy them to production environments. In addition to patching, Microsoft recommends rotating the ASP.NET Core Data Protection key ring to invalidate any forged tokens that may have been issued prior to remediation. Where container images are used, base images should be updated and applications rebuilt to ensure the fixed libraries are included. Further guidance is available from Microsoft and the NIST NVD, including the official advisory at Github.

How can Sentrium help?

Sentrium works with organisations to identify and manage risk arising from vulnerabilities in application frameworks and supporting infrastructure. Through penetration testing, secure architecture reviews, and cloud security assessments, Sentrium helps clients understand real world exploitability and prioritise remediation effectively. If you would like to discuss how this issue may affect your environment, speak to our team for pragmatic, technically grounded advice.