Microsoft released out-of-band security updates to fix a critical privilege escalation bug in the ASP.NET Core Data Protection APIs that allowed forged authentication cookies to grant SYSTEM privileges. Customers are urged to update Microsoft.AspNetCore.DataProtection to 10.0.7, redeploy, and rotate DataProtection keys to invalidate any forged tokens #CVE-2026-40372 #ASPNetCore
Keypoints
- An ASP.NET Core Data Protection flaw (CVE-2026-40372) could let attackers forge auth cookies to escalate privileges.
- The bug affected Microsoft.AspNetCore.DataProtection versions 10.0.0–10.0.6 by computing HMAC over the wrong bytes and discarding the hash.
- Microsoft published .NET 10.0.7 as an out-of-band update and urges updating and redeploying the package immediately.
- Forged tokens issued during the vulnerable window remain valid unless the DataProtection key ring is rotated.
- Microsoft also addressed a prior Kestrel HTTP request smuggling issue (CVE-2025-55315) and released additional out-of-band Windows Server fixes.