Microsoft issued emergency patch for ASP.NET Core Data Protection flaw

Threat summary

On April 21, 2026, Microsoft released an out-of-band security update to address a high-severity elevation of privilege vulnerability affecting ASP.NET Core. The flaw impacts versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package and was remediated in version 10.0.7.

ASP.NET Core Data Protection is a core framework component responsible for encrypting and signing sensitive application data, including authentication cookies, anti-forgery tokens, OpenID Connect state, and temporary session data. These protections underpin authentication and authorization decisions in many enterprise web applications deployed across cloud, containerized, and managed hosting environments. Failures at this layer directly affect trust boundaries between users and applications.

The vulnerability, tracked as CVE-2026-40372, was introduced as part of the .NET 10.0.6 update released on April 14 during the April Patch Tuesday cycle. Microsoft described the issue as a regression, meaning a previously secure cryptographic behavior was unintentionally broken by the update. The severity of the regression prompted Microsoft to issue an out-of-band fix.

In affected versions, the Hash-based Message Authentication Code (HMAC) used to validate protected payloads could be calculated over incorrect data and, in some cases, discarded entirely. This breaks integrity guarantees and allows a threat actor to forge payloads that pass authenticity checks, as well as decrypt data that was previously protected by the framework.

Exploitation enables unauthenticated elevation of privilege. An adversary able to authenticate during the vulnerable window could cause the application to issue legitimately signed artifacts such as session cookies, application programming interface (API) keys, or password reset links. These artifacts remain valid after patching unless affected Data Protection keys are rotated, creating the potential for persistent privileged access if issued tokens are not invalidated. Microsoft assigned the vulnerability a CVSS score of 9.1.

Analysis

Affected environments include ASP.NET Core applications that reference Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6 and load the vulnerable package at runtime. Exposure concentrates in Linux and macOS deployments, where the managed Data Protection implementation is used by default.

Additional impact could apply to Windows deployments configured to use managed cryptographic algorithms through the UseCustomCryptographicAlgorithms application programming interface. These configurations follow the same managed code path as non-Windows platforms, which explains why exposure depends on runtime configuration rather than operating system alone.

Mitigation actions focus on removing the vulnerable code path and clearing residual trust. Organizations benefit from upgrading Microsoft.AspNetCore.DataProtection to version 10.0.7 or later and rebuilding and redeploying applications that bundle the library into their runtime artifacts. Runtime updates alone do not clear embedded dependencies.

Rotating Data Protection key rings invalidates authentication material issued during the vulnerable period and resets cryptographic trust boundaries.

Reviewing and reissuing long-lived artifacts, including application programming interface keys, refresh tokens, and password reset links generated during the affected window, further reduces risk. Teams also gain value from reviewing cryptographic configuration choices, particularly the use of managed algorithms on Windows hosts, to confirm alignment with supported and hardened defaults.

For managed service providers, risk reduction includes identifying customer applications that include Data Protection as a bundled dependency, verifying which cryptographic implementation is active at runtime, and prioritizing remediation for internet-exposed workloads. Coordinated rebuilds, redeployments, key rotation, and artifact reissuance provide a clear and repeatable response path that restores application trust and limits exposure stemming from this regression.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up