Microsoft has issued an out-of-band security update (CVE-2026-40372) for a critical privilege escalation vulnerability in ASP.NET Core Data Protection. A regression introduced in .NET 10.0.6 caused the managed authenticated encryptor to compute its HMAC validation tag over incorrect bytes, allowing unauthenticated attackers to forge authentication cookies and potentially gain SYSTEM-level privileges. Affected applications could also expose files and allow data modification. Developers using ASP.NET Core Data Protection are urged to upgrade to version 10.0.7 immediately, redeploy their applications, and rotate the DataProtection key ring to invalidate any tokens issued during the vulnerable window.
Table of contents
Related Articles:Sort: