Serious vulnerability in ASP.NET Core (CVE-2026-40372) could allow privilege elevation: it updates to 10.0.7 and breaks the key ring

Microsoft has published off-cycle updates to correct critical vulnerability in ASP.NET Core that could allow an attacker to raise its privileges in affected systems. Registered as CVE-2026-40372 and qualified with a CVSS score of 9.1 / 10.0, the failure has been considered of important gravity and was reported by an anonymous investigator.

The root of the problem is in the implementation of the data protection subsystem of ASP.NET Core: a regression in some versions of the NuGet packages caused the authenticated encryption mechanism to calculate the HMAC validation label on incorrect payload bytes and, in some cases, to discard the calculated hash. This failure in the verification of the cryptographic signature opens the door to the fact that manipulated inputs appear authentic and, in specific situations, also allows the decipher of data that were previously protected. The affected objects include authentication cookies, anti-counterfeiting tokens and other data signed or encrypted by the bookstore.

Microsoft has released the correction in the ASP.NET Core branch 10.0.7. According to the company, an attacker who successfully explores vulnerability could obtain system privileges (SYSTEM in Windows environments equivalent to Unix-like systems), access files and alter information. However, exploitation is not universal: it requires several simultaneous preconditioners to make it viable.

For vulnerability to be exploited, the application needs to use the affected version of the package Microsoft.AspNetCore.DataProtection(the regressions were present in versions 10.0.0 to 10.0.6), that the copy of the package obtained from NuGet is actually loaded in running time by the application and that the service is run on a system other than Windows (e.g. Linux or macOS). If these requirements are met, an attacker could forge payloads that pass data protection integrity checks or even decipher previously protected content. In addition, if during the vulnerable window an attacker was able to authenticate as a privileged user, the application could issue legally signed tokens (session updates, API keys, password restoration links, etc.) that would remain valid after applying the update to 10.0.7, unless the Data Protection key ring is rotated.

The immediate recommendation is to apply the corrected version as soon as possible: update projects and deployments to Microsoft.AspNetCore.DataProtection 10.0.7 and the corresponding version of ASP.NET Core 10.0.7. Microsoft published technical details and mitigation in its security notice and version notes; it is important to review both sources to understand the scope in each environment. See Microsoft's notice here: MSRC - CVE-2026-40372 and the notes of the version in the official repository: aspnetcore v10.0.7.

In addition to patching, there is another critical measure: Rotate Data Protection key ring. As the keys used to sign and encrypt data are those that determine the validity of tokens and cookies, a forced rotation previously invalidated material signed by compromised keys and prevents an attacker from using tokens emitted during the vulnerable window. Official documentation explains how to manage and rotate data protection keys: Key management in Data Protection.

For development and operations equipment it is appropriate to check whether their applications actually load the vulnerable version of the package in running time. One practical way is to review the dependencies with the .NET tools (e.g.,dotnet list package --including de-transitional) and check the versions packed in the devices or containers that are deployed. The NuGet package page provides information on published versions: Microsoft.AspNetCore.DataProtection in NuGet. It is also recommended to inspect images of container, published buildings or binary deployed to confirm which bookstore is actually being loaded.

If you manage Linux or macOS environments, prioritize updates and turn the keys as soon as possible. After applying patches and rotating keys, check the authentication records and look for unusual activity that may indicate that someone exploded the failure before the patch. If you detect possible access or issue of suspicious tokens during the vulnerable window, it comes as if the secrets affected were compromised: revoke tokens, force replacements and audited access to sensitive data.

In practice, this impact recalls two important ideas: regressions in critical security bookstores can have cross-cutting impact and it is therefore essential to maintain updating policies, confidence anchors and appropriate key management processes. For more technical context on the operation of Data Protection and best practices, the Microsoft guide on the data protection system in ASP.NET Core is an excellent resource: ASP.NET Core Data Protection. To check the CVE record and details of severity, the public entry in NVD is available: NVD - CVE-2026-40372.

If you manage applications in production, act already: update to 10.0.7, break the key ring if your environment was exposed and check logs and tokens issued during the vulnerable window. The combination of parking and key management is the most effective way to close this door before it causes more damage.