Vulnerability Analysis

CVE-2026-40372: ASP.NET Core DataProtection Privilege Escalation — What It Is & How to Fix It

Executive Summary

CVE-2026-40372 is a critical elevation-of-privilege vulnerability in ASP.NET Core's DataProtection library affecting versions 10.0.0 through 10.0.6, carrying a CVSS score of 9.1. A logic flaw in the cryptographic HMAC verification routine allows unauthenticated remote attackers to forge authentication cookies and antiforgery tokens, potentially gaining SYSTEM-level privileges. Microsoft issued an emergency out-of-band patch in .NET 10.0.7 — any organization running ASP.NET Core 10 must patch immediately.

1. What Is This Vulnerability?

CVE-2026-40372 lives inside the ManagedAuthenticatedEncryptor class of the Microsoft.AspNetCore.DataProtection package — the foundational component that ASP.NET Core relies on to protect cookies, antiforgery tokens, session state, and any application data sealed with the Data Protection API (DPAPI).

The bug is a cryptographic verification regression introduced in version 10.0.0. In the vulnerable code path, the HMAC validation tag is computed over the wrong byte range of the payload, and the resulting hash is then discarded without being compared. In practice, this means the integrity check is silently skipped:

// VULNERABLE (10.0.0 – 10.0.6): HMAC is computed but never used for comparison
var computedTag = _hmac.ComputeHash(payloadSlice);
// BUG: computedTag is discarded — payload tag is never actually verified
return Decrypt(payload);

Because the tag is never verified, an attacker can supply any HMAC value (including all-zeroes) and the payload will be accepted as authentic.

Attack Vector

Exploitation requires no prior authentication and operates entirely over the network:

  1. Attacker obtains or observes a valid DataProtection-protected payload (e.g., an authentication cookie) from the target application.
  2. Attacker constructs a forged payload that claims a high-privileged identity, appending an arbitrary (e.g., all-zero) HMAC.
  3. Because signature verification is effectively disabled, the forged payload is accepted by the server.
  4. The server treats the forged cookie as a legitimate, trusted authentication token, granting SYSTEM-level (or application-admin-level) access.

Real-World Impact

Although no confirmed in-the-wild exploitation has been publicly disclosed as of April 24, 2026, the CVSS 9.1 score and the fact that Microsoft issued an emergency out-of-band patch (rather than waiting for the next scheduled Patch Tuesday) signals the high severity. Any internet-facing ASP.NET Core 10 application using standard cookie authentication or antiforgery tokens is at risk.

2. Who Is Affected?

Component Vulnerable Versions Patched Version
Microsoft.AspNetCore.DataProtection NuGet 10.0.0 – 10.0.6 10.0.7
.NET Runtime 10.0.0 – 10.0.6 10.0.7
ASP.NET Core 10 apps (cookie auth, antiforgery, session) All using DataProtection 10.0.0–10.0.6 Patched in 10.0.7

Not affected:

  • ASP.NET Core 6, 7, 8, or 9 applications (the regression was introduced in 10.0.0)
  • Applications using third-party session/auth providers that do not call the DataProtection API internally

At elevated risk:

  • Internet-facing applications using ASP.NET Core 10 cookie authentication
  • Applications storing sensitive user data in DPAPI-protected cookies
  • Multi-tenant SaaS platforms running on .NET 10

3. How to Detect It (Testing)

Manual Testing Steps

  1. Check your runtime version. Run dotnet --version on all production hosts. If the output starts with 10.0. and is not 10.0.7 or higher, your host runtime is vulnerable.

  2. Audit NuGet package references. In each project's .csproj or by running:

    dotnet list package --include-transitive | grep DataProtection

    Look for any resolved version of Microsoft.AspNetCore.DataProtection in the range 10.0.010.0.6.

  3. Check lock files and deployment artifacts. Review packages.lock.json or the published output's .deps.json for Microsoft.AspNetCore.DataProtection resolved version.

  4. Confirm cookie-based authentication is in use. Inspect Startup.cs / Program.cs for AddCookie(), AddDataProtection(), AddAntiforgery(), or UseSession() — any of these indicates DataProtection is active.

Automated Scanning

  • Tool: Trivy (container/filesystem vulnerability scanner)

    trivy fs --severity CRITICAL,HIGH --vuln-type library .

    Expected output: CVE-2026-40372 flagged against Microsoft.AspNetCore.DataProtection if a vulnerable version is present.

  • Tool: dotnet-outdated / GitHub Dependabot

    • Enable Dependabot alerts in your repository — it will automatically flag CVE-2026-40372 on any project referencing the affected package range.

  • Tool: OWASP Dependency-Check

    dependency-check --project "MyApp" --scan ./MyApp --format HTML --out ./reports

    Expected output: CVE-2026-40372 listed under Microsoft.AspNetCore.DataProtection.

Code Review Checklist

  • Confirm Microsoft.AspNetCore.DataProtection is pinned to >= 10.0.7 in all .csproj files
  • Verify no transitive package pulls in a vulnerable version via dotnet list package --include-transitive
  • Confirm AddDataProtection() is called and key storage is configured (not relying on defaults) in Program.cs
  • Review whether custom IDataProtector implementations use ManagedAuthenticatedEncryptor directly — if so, validate they do not replicate the flawed verification pattern
  • Check that key ring rotation is scheduled and keys older than the vulnerability window are revoked

4. How to Fix It (Mitigation)

Step-by-Step Remediation

  1. Update the .NET 10 runtime to version 10.0.7 on all hosts (servers, containers, Azure App Service slots):

    # Linux — via dotnet install script or package manager
sudo apt-get update && sudo apt-get install -y dotnet-runtime-10.0

# Verify
dotnet --version   # should output 10.0.7 or later

  2. Update the NuGet package in all affected projects:

    dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7
# Or update via NuGet Package Manager to >= 10.0.7

  3. Rebuild and redeploy all applications. A runtime upgrade alone is not sufficient if the application ships its own copy of the DataProtection DLL (self-contained deployments).

  4. Rotate the DataProtection key ring for any application that was internet-exposed during the vulnerable window (versions 10.0.0–10.0.6). Rotating the key ring invalidates all previously issued protected payloads, including any forged tokens an attacker may have obtained:

    // In Program.cs — configure explicit key storage and rotation
builder.Services.AddDataProtection()
    .PersistKeysToFileSystem(new DirectoryInfo("/secure/dp-keys"))
    .SetDefaultKeyLifetime(TimeSpan.FromDays(14));

    Then delete existing key XML files and restart the application to force new key generation.

  5. Force users to re-authenticate. After key rotation, all existing authentication cookies become invalid. Communicate downtime or a forced logout to affected users.

Code Fix Example

Before (vulnerable — 10.0.0 to 10.0.6, simplified illustration):

// ManagedAuthenticatedEncryptor.Decrypt (vulnerable pseudocode)
public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> additionalAuthenticatedData)
{
    var providedTag = ExtractTag(ciphertext);
    var computedTag = _hmac.ComputeHash(GetPayloadBytes(ciphertext));
    // BUG: computed tag is computed but never compared to providedTag
    return DecryptCore(ciphertext);
}

After (patched — 10.0.7):

// ManagedAuthenticatedEncryptor.Decrypt (patched pseudocode)
public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> additionalAuthenticatedData)
{
    var providedTag = ExtractTag(ciphertext);
    var computedTag = _hmac.ComputeHash(GetPayloadBytes(ciphertext));
    // FIX: Constant-time comparison ensures tag must match
    if (!CryptographicOperations.FixedTimeEquals(providedTag, computedTag))
    {
        throw new CryptographicException("Payload validation failed.");
    }
    return DecryptCore(ciphertext);
}

Configuration Hardening

Beyond patching, harden your DataProtection setup:

builder.Services.AddDataProtection()
    // Store keys in a durable, access-controlled location
    .PersistKeysToAzureBlobStorage(blobClient)
    // Encrypt keys at rest using Azure Key Vault or Windows DPAPI
    .ProtectKeysWithAzureKeyVault(keyIdentifier, credential)
    // Isolate applications by purpose
    .SetApplicationName("MyApp-Production")
    // Limit key lifetime to reduce exposure window
    .SetDefaultKeyLifetime(TimeSpan.FromDays(14));

5. How to Test the Fix (Validation)

Regression Test Scenarios

  • Scenario A: Deploy the updated package and confirm the application starts and authentication cookies function normally end-to-end.
  • Scenario B: Attempt to submit a DataProtection payload with an all-zero HMAC tag — the application should reject it with a CryptographicException, not accept it.
  • Scenario C: Verify that existing session flows (login → authenticated request → logout) are unbroken after patching and key rotation.

Security Test Cases

Test Case 1 — Verify the vulnerability no longer exists:

  • Precondition: Patch applied, runtime updated to 10.0.7.
  • Steps: Capture a legitimate authentication cookie. Modify the HMAC bytes in the base64-decoded payload to all-zeroes. Replay the forged cookie in an authenticated request.
  • Expected Result: Server returns HTTP 400 or 401; session is not granted.

Test Case 2 — Verify legitimate tokens still work:

  • Precondition: Patch applied, key ring rotated, users re-authenticated.
  • Steps: Log in normally, obtain a fresh authentication cookie. Issue an authenticated request.
  • Expected Result: Server returns HTTP 200 with expected content.

Test Case 3 — Key rotation invalidates old tokens:

  • Precondition: Application key ring rotated.
  • Steps: Use a cookie issued before key rotation.
  • Expected Result: Server rejects old cookie with 401, prompting re-authentication.

Automated Tests

[Fact]
public void DataProtector_RejectsForgedPayload()
{
    // Arrange
    var services = new ServiceCollection();
    services.AddDataProtection().SetApplicationName("test");
    var sp = services.BuildServiceProvider();
    var protector = sp.GetDataProtector("test-purpose");

    var legitimate = protector.Protect("admin");
    var bytes = Convert.FromBase64String(legitimate);

    // Corrupt the HMAC region (last 32 bytes for SHA-256)
    for (int i = bytes.Length - 32; i < bytes.Length; i++)
        bytes[i] = 0x00;

    var forged = Convert.ToBase64String(bytes);

    // Act & Assert
    Assert.Throws<CryptographicException>(() => protector.Unprotect(forged));
}

6. Prevention & Hardening

Best Practices

  • Pin and audit NuGet package versions. Use a packages.lock.json file and Dependabot/Renovate to receive automatic pull requests when security updates are released. Never leave * or open-ended version ranges for security-sensitive packages.

  • Use framework-dependent deployments where possible. When the .NET runtime is installed separately (not bundled), upgrading the runtime automatically benefits all hosted apps simultaneously, reducing the patch surface.

  • Adopt a key management solution. Always persist DataProtection keys in a durable, encrypted store (Azure Key Vault, AWS KMS, HashiCorp Vault). Never rely on ephemeral in-memory key storage in production — it regenerates on restart, which can cause cryptographic failures of a different kind.

  • Rotate keys on a schedule. Default DataProtection key lifetime is 90 days. Consider reducing this to 14–30 days to limit the blast radius of any future key compromise.

  • Implement WAF rules for anomalous authentication patterns. A sudden spike in authentication failures or high-privilege session creation from new IPs can indicate active exploitation.

Monitoring & Detection

Set up alerts for the following indicators of compromise:

  • Authentication log anomalies: Multiple failed HMAC/decryption exceptions (CryptographicException) in application logs from a single IP or user agent.
  • Privilege escalation events: Accounts suddenly appearing in admin roles without a corresponding administrative action in your audit log.
  • Unusual session patterns: Sessions established from IP addresses that never completed the login flow (indicating forged cookies being injected directly).

Recommended log query (Application Insights / Serilog):

exceptions
| where type == "System.Security.Cryptography.CryptographicException"
| where outerMessage contains "Payload validation"
| summarize count() by bin(timestamp, 5m), client_IP
| where count_ > 10

References

Latest from the blog

See all →