Microsoft’s .NET team moved fast last week. They released version 10.0.6 of key packages during Patch Tuesday on April 14. Developers cheered the fixes. But soon, reports flooded in: decryption failures crippled apps using ASP.NET Core Data Protection. Investigation revealed worse—a critical vulnerability hiding in plain sight.
CVE-2026-40372. CVSS score of 9.1. Improper cryptographic signature verification. Attackers could forge authentication payloads. Gain SYSTEM privileges on Linux or macOS servers. No authentication needed. Just network access. Ars Technica broke the story on April 22, detailing the emergency out-of-band patch to version 10.0.7.
The Bug’s Inner Workings
Here’s the technical breakdown. ASP.NET Core’s Data Protection handles sensitive data: authentication cookies, antiforgery tokens, session state. It uses HMAC for integrity and authenticity checks. In versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, the managed authenticated encryptor botched the job. It calculated the HMAC validation tag over the wrong bytes of the payload. Then discarded the hash entirely. Forged payloads slipped through. Attackers impersonated privileged users. Induced apps to issue real tokens: session refreshes, API keys, password reset links. Those tokens? They persist post-patch. Unless keys rotate.
“A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases,” Microsoft explained in release notes linked from their .NET Blog announcement on April 21 by Rahul Bhandari, senior program manager.
Windows dodged the bullet. Default encryptors there use CNG cryptography, sidestepping the flaw. Linux and macOS? Not so lucky. Vulnerable if the NuGet package loaded at runtime—not the shared framework copy. Specific setups hit hardest: apps not targeting Microsoft.NET.Sdk.Web, or referencing Microsoft.AspNetCore.App without opting out of PrunePackageReference. Smaller group: libraries on net462 or netstandard2.0 targets pulling vulnerable assets. Microsoft’s GitHub advisory spells it out precisely.
And the exploitation path echoes old ghosts. Padding-oracle attacks, reminiscent of MS10-070 from 2010. Attackers hammer endpoints with crafted inputs. Bleed plaintext byte by byte. Forge valid cookies. Escalate. Full machine compromise follows.
Remediation: Patch Alone Isn’t Enough
Update to 10.0.7. Now. Grab the ASP.NET Core Runtime from Microsoft’s download page. Rebuild. Redeploy. Linux and macOS binaries available for arm64, x64, even Alpine variants.
But stop there? Risky. Rotate the DataProtection key ring. Here’s Microsoft’s C# snippet from the advisory:
“`csharp
var services = new ServiceCollection()
.AddDataProtection()
// … your existing repository/protection config …
.BuildServiceProvider();
var keyManager = services.GetRequiredService
keyManager.RevokeAllKeys(
revocationDate: DateTimeOffset.UtcNow,
reason: “CVE-2026-40372: DataProtection 10.0.6 validation bypass”
);
“`
Revokes all keys. Forces reauthentication. New keys generate on next protect call. Then audit logs. Hunt anomalous traffic: high-volume requests to auth endpoints during the vulnerable window. Rotate long-lived artifacts manually—API keys, refresh tokens, reset links issued while exposed.
“If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens… to themselves. Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated,” the advisory warns.
The package boasts 976 million downloads on NuGet. Powers apps from Bitwarden servers to Azure SDKs. An anonymous researcher gets credit via Microsoft’s bounty program. No public exploits yet. But CVSS 9.1 screams urgency.
Recent coverage amplifies the call. The Hacker News on April 22 stressed non-Windows prerequisites. Duende Software dissected padding-oracle risks April 22. SOC Prime’s analysis yesterday flagged detection via web logs. X buzz—from The Hacker News to Ars Technica—urged patches.
Developers, check `dotnet list package`. Verify runtime with `dotnet –info`. Non-Windows fleets especially. This regression turned a routine update into a crypto nightmare. Fixed now. But only if you act fully.
WebProNews is an iEntry Publication