ASP.NET Core Elevation of Privilege Vulnerability

Description

The security flaw (tracked as CVE-2026-40372) was found in the ASP.NET Core Data Protection cryptographic APIs, and it could allow unauthenticated attackers to gain SYSTEM privileges on affected devices by forging authentication cookies. Microsoft discovered the flaw following user reports that decryption was failing in their applications after installing the .NET 10.0.6 update release during this month's Patch Tuesday. A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases. In these cases, the broken validation could allow an attacker to forge payloads that pass DataProtection's authenticity checks, and to decrypt previously-protected payloads in auth cookies, antiforgery tokens, TempData, OIDC state, etc. If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves. Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated. This vulnerability can also enable attackers to disclose files and modify data, but they cannot impact the system's availability.

Affected Products

Also Affects

Downstream vendors/products affected by this vulnerability

References

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-40372(vendor-advisory, patch)

Related News (8 articles)