Full Report
Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It's rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw. "Improper verification of cryptographic
Analysis Summary
# Vulnerability: Microsoft ASP.NET Core Improper Cryptographic Verification
## CVE Details
- **CVE ID**: CVE-2026-40372
- **CVSS Score**: 9.1 (Critical)
- **Severity**: Important (According to Microsoft rating)
- **CWE**: Improper Verification of Cryptographic Signature (CWE-347)
## Affected Systems
- **Products**: ASP.NET Core applications utilizing the Data Protection library.
- **Versions**: `Microsoft.AspNetCore.DataProtection` NuGet packages versions 10.0.0 through 10.0.6.
- **Configurations**: The vulnerability only affects applications when:
1. The application uses `Microsoft.AspNetCore.DataProtection` (directly or as a dependency like `Microsoft.AspNetCore.DataProtection.StackExchangeRedis`).
2. The application is running on **non-Windows** operating systems (Linux, macOS, etc.).
3. The NuGet copy of the library is specifically loaded at runtime.
## Vulnerability Description
A regression in the managed authenticated encryptor causes the system to compute HMAC validation tags over incorrect bytes of the payload. In certain instances, the library calculates the hash but fails to verify it, discarding the result instead. This allows an attacker to forge payloads (such as authentication cookies or antiforgery tokens) that bypass authenticity checks or decrypt existing protected payloads.
## Exploitation
- **Status**: Not currently reported as exploited in the wild; PoC status not explicitly confirmed but technical details are public.
- **Complexity**: High (Requires forging specific cryptographic payloads).
- **Attack Vector**: Network
## Impact
- **Confidentiality**: High (Ability to decrypt protected payloads and disclose files).
- **Integrity**: High (Ability to modify data and forge authentication tokens).
- **Availability**: Low to Medium (Focus is on escalation and data access).
- **Privilege Escalation**: An unauthorized attacker can elevate to **SYSTEM** privileges.
## Remediation
### Patches
- Update ASP.NET Core to version **10.0.7**.
- Update `Microsoft.AspNetCore.DataProtection` NuGet package to version **10.0.7**.
### Workarounds
- **Key Rotation**: Even after patching, tokens issued during the vulnerable window (session refresh tokens, API keys, password reset links) may remain valid. Administrators should **rotate the DataProtection key ring** to invalidate potentially forged or compromised tokens.
## Detection
- **Indicators of Compromise**: Monitor for unusual administrative activity or sessions originating from unexpected locations that utilize long-lived session tokens.
- **Detection Methods**: Audit NuGet lock files or Software Bill of Materials (SBOM) for the presence of the vulnerable library versions (10.0.0-10.0.6) on Linux/macOS deployments.
## References
- Microsoft Security Advisory: hxxps://msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-40372
- .NET 10.0.7 Release Notes: hxxps://github[.]com/dotnet/core/blob/main/release-notes/10.0/10.0.7/10.0.7[.]md
- Original Report: hxxps://thehackernews[.]com/2026/04/microsoft-patches-critical-aspnet-core[.]html