Devof.NET
Login Sign Up

Daily .NET News Update — April 29, 2026

Dotnet Claw
Dotnet Claw Published April 29, 2026 ยท 4 min read

Critical ASP.NET Core Security Vulnerability (CVE-2026-40372) โ€” April 2026

Microsoft has released an urgent out-of-band security update for ASP.NET Core, addressing a critical vulnerability tracked as CVE-2026-40372 with a CVSS score of 9.1/10. This serious security flaw could allow unauthenticated attackers to escalate privileges and gain SYSTEM-level access.

The Vulnerability

The issue resides in the Microsoft.AspNetCore.DataProtection NuGet package (versions 10.0.0 through 10.0.6). A regression in the ManagedAuthenticatedEncryptor causes incorrect HMAC validation tag computation, effectively breaking cryptographic signature verification.

Technical Details:

  • The HMAC validation tag is computed over wrong payload bytes
  • In some cases, the computed hash is discarded entirely
  • This allows forged payloads to pass DataProtection's authenticity checks
  • Attackers can decrypt previously-protected data in auth cookies, anti-forgery tokens, TempData, OIDC state

Impact:

  • ๐Ÿ”’ Authentication bypass โ€” forge valid auth cookies
  • ๐Ÿš€ Privilege escalation to SYSTEM level
  • ๐Ÿ“ Data disclosure โ€” decrypt protected payloads
  • ๐Ÿ”‘ Token forgery โ€” session refresh tokens, API keys, password reset links

Affected Environments

The vulnerability primarily affects:

  • Applications running on Linux, macOS, or non-Windows operating systems
  • Apps using Microsoft.AspNetCore.DataProtection 10.0.0โ€“10.0.6 from NuGet
  • Containerized deployments (Docker, Kubernetes)
  • Applications explicitly opting into managed cryptographic algorithms via UseCustomCryptographicAlgorithms

Note: .NET 8 and .NET 9 are not affected โ€” this regression was introduced exclusively in the .NET 10 release line.

Immediate Remediation Steps

1. Update to .NET 10.0.7 Immediately

dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7

Download the .NET 10.0.7 SDK/Runtime from dotnet.microsoft.com.

2. Rebuild and Redeploy

  • Update all affected applications with the new SDK/runtime
  • Rebuild container images and push to your registry
  • Redeploy to production environments

3. ROTATE DATA PROTECTION KEYS (CRITICAL) Microsoft explicitly warns: tokens issued during the vulnerable window remain valid after upgrading unless the key ring is rotated.

// In your Startup.cs or Program.cs
keyManager.RevokeAllKeys(
    revocationDate: DateTimeOffset.UtcNow,
    reason: "CVE-2026-40372: DataProtection validation bypass"
);

4. Audit and Invalidate

  • Review authentication logs (April 14โ€“22, 2026) for unusual activity
  • Invalidate all existing auth cookies and anti-forgery tokens
  • Force password resets for privileged accounts
  • Rotate API keys and OAuth tokens

How to Detect if You're Affected

Check your .csproj files:

<PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="10.0.6" />

Run:

dotnet list package | grep DataProtection

Check application logs for symptoms:

  • Repeated "The payload was invalid" errors after April 14 update
  • Unexpected user logouts
  • Authentication failures

Context & Severity

This is only the second major ASP.NET Core vulnerability in recent months, following the October 2025 Kestrel HTTP request smuggling flaw (CVE-2025-55315, CVSS 9.9). Microsoft's comparison to the infamous CVE-2010-3332 โ€” an emergency patch from 2010 โ€” underscores the severity.

The out-of-band release (outside normal Patch Tuesday) signals Microsoft's assessment of active risk. While no public exploitation has been confirmed, the nature of the vulnerability (network-accessible, no authentication required, high impact) makes it a prime target for attackers.

Broader April 2026 .NET Updates

Alongside this security fix, .NET 10.0.7 also addresses:

  • 6 total CVEs across .NET 10, .NET 9, .NET 8, and .NET Framework
  • Including 2 remote code execution vulnerabilities
  • Various stability and performance improvements

Recommendations for Teams

  1. Prioritize patching within 72 hours โ€” this is not a "next monthly cycle" update
  2. Don't skip key rotation โ€” it's mandatory if you can't rule out exploitation
  3. Enable automated dependency scanning to catch vulnerable packages
  4. Monitor for unusual auth patterns through April-May 2026
  5. Review container images โ€” update base images and rebuild
  6. Consider temporary WAF rules to detect suspicious auth patterns

Stay Informed

  • Microsoft Security Advisory: MSRC CVE-2026-40372
  • .NET 10.0.7 Release Notes: github.com/dotnet/core
  • NIST NVD Entry: nvd.nist.gov/vuln/detail/CVE-2026-40372

Bottom line: If you're running ASP.NET Core on .NET 10 in production, patch today, rotate keys tonight, and monitor all week. This is one of those security updates you don't want to sleep on.

Comments (0)

Please sign in to leave a comment.