Microsoft ships emergency out-of-band patch for critical ASP.NET Core authentication cookie forgery flaw (CVE-2026-40372)

Microsoft released out-of-band security updates for a critical ASP.NET Core Data Protection flaw that lets unauthenticated attackers forge authentication cookies and escalate to SYSTEM privileges. The bug (CVE-2026-40372) is a regression introduced in the April 2026 Patch Tuesday: the Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6 NuGet packages compute the HMAC validation tag (the cryptographic signature that proves a cookie has not been tampered with) over the wrong bytes of the payload and then discard the hash in some cases. The broken check means attackers can forge payloads that pass DataProtection's authenticity checks and decrypt previously-protected data in auth cookies, antiforgery tokens, TempData, and OIDC state. Microsoft noticed the flaw only after users reported decryption failures in their apps after installing the .NET 10.0.6 update. Critical operational detail: updating to 10.0.7 stops future forgeries, but any tokens an attacker already got the app to legitimately sign during the vulnerable window (session refresh tokens, API keys, password reset links) remain valid forever unless you rotate the DataProtection key ring. Patching alone is not enough.

Check

Check whether any ASP.NET Core application you run is on the Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6.

Affected

Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6 (shipped as part of .NET 10.0.0 through .NET 10.0.6).

Fix

Update the Microsoft.AspNetCore.DataProtection package to 10.0.7 and redeploy. Critically, also rotate the DataProtection key ring after patching - any legitimately-signed tokens (session refresh, API keys, password reset links) issued to an attacker during the vulnerable window remain valid until the key ring is rotated. Audit auth logs from April 14 through April 22 for suspicious token issuance.