Microsoft issued an out-of-band patch for a critical CVE-2026-40372 (9.1 severity) regression introduced in the April 14 .NET 10.0.6 update. A bug in the ManagedAuthenticatedEncryptor causes incorrect offset calculation for the validation tag in the Data Protection Library's Hash-based Message Authentication Code (HMACs), allowing attackers to forge payloads that pass authenticity checks and decrypt protected auth cookies, anti-forgery tokens, and more. The flaw affects Linux, macOS, and Windows systems using custom cryptographic algorithms. Simply applying the 10.0.7 runtime update is not enough — developers must also rebuild any ASP.NET Core applications built after April 14, expire all affected authentication cookies and tokens, and rotate Data Protection keys. Docker-based projects are particularly impacted since the library is embedded in built applications.
Sort: