Microsoft has released emergency out-of-band security updates to patch a critical privilege escalation vulnerability in ASP.NET Core, according to bleepingcomputer.com.
The flaw, tracked as CVE-2026-40372, affects the ASP.NET Core Data Protection cryptographic APIs. Unauthenticated attackers can exploit the bug to gain SYSTEM privileges on affected devices by forging authentication cookies.
Microsoft discovered the issue after users reported that decryption was failing in various applications following the installation of the .NET 10.0.6 update during this month's Patch Tuesday.
"A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases," Microsoft stated in the .NET 10.0.7 release notes.
Ongoing security risks
This broken validation allows attackers to forge payloads that pass authenticity checks. The vulnerability also enables the decryption of previously protected payloads within authentication cookies, antiforgery tokens, TempData, and OIDC state.
Microsoft warned that if an attacker uses forged payloads to authenticate as a privileged user during the vulnerable window, they could induce applications to issue legitimately signed tokens. These tokens, including session refreshes, API keys, and password reset links, remain valid even after upgrading to version 10.0.7 unless the DataProtection key ring is rotated.
In a Tuesday security advisory, Microsoft further explained that the vulnerability can enable attackers to modify data and disclose files, though it cannot impact system availability.
Rahul Bhandari, a senior program manager at Microsoft, urged all customers using ASP.NET Core Data Protection to update the Microsoft.AspNetCore.DataProtection package to 10.0.7 immediately. He advised redeploying the update to fix the validation routine and ensure forged payloads are rejected.
This emergency patch follows a series of recent high-profile security fixes. In October, Microsoft patched an HTTP request smuggling bug, CVE-2025-55315, in the Kestrel web server. That flaw received the highest possible severity rating for an ASP.NET Core security issue.
Successful exploitation of that Kestrel bug allows authenticated attackers to hijack user credentials, bypass security controls, or crash servers. On Monday, Microsoft also issued out-of-band updates to address issues affecting Windows Server systems following the April 2026 security updates.
