Microsoft Ships Emergency Fix for Critical ASP.NET Core Auth Bypass

Microsoft has issued out-of-band patches for CVE-2026-40372, a critical privilege escalation flaw in ASP.NET Core’s Data Protection cryptographic APIs. A regression introduced in Microsoft.AspNetCore.DataProtection NuGet packages 10.0.0 through 10.0.6 caused the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes and then discard the computed hash, breaking authenticity checks on protected payloads.

The consequence is severe: unauthenticated attackers could forge auth cookies, antiforgery tokens, TempData, and OIDC state payloads that pass validation, then decrypt previously-protected data. An attacker who authenticated as a privileged user during the vulnerable window could have coerced the application into issuing legitimately-signed artifacts — session refresh tokens, API keys, password reset links — back to themselves. Critically, those tokens remain valid after upgrading unless operators rotate the DataProtection key ring.

Microsoft discovered the regression after customers reported decryption failures following the .NET 10.0.6 release in this month’s Patch Tuesday. Fix guidance: update to Microsoft.AspNetCore.DataProtection 10.0.7, redeploy, and rotate key rings to invalidate any tokens issued during the exposure window. The flaw allows disclosure and tampering but not availability impact. It follows October’s CVE-2025-55315 Kestrel HTTP request smuggling bug, which carried the highest severity rating ever assigned to an ASP.NET Core vulnerability.