Critical ASP.NET bypass

ASP.NET Core apps use a built-in “seal” called Data Protection to sign cookies and other tokens so a server can trust them later. In versions 10.0.0 through 10.0.6, Microsoft said that seal could fail on Linux, macOS, and other non-Windows systems, letting attackers forge authentication data. (devblogs.microsoft.com) Microsoft released.NET 10.0.7 as an out-of-band security update on April 21, 2026, to fix CVE-2026-40372. The company’s advisory says the bug affects the `Microsoft.AspNetCore.DataProtection` NuGet package and carries a CVSS 3.1 score of 9.1. (devblogs.microsoft.com) (github.com) The flaw sits in the package’s cryptographic signature check, which is supposed to reject tampered data the way a wax seal shows a letter was opened. Microsoft said the vulnerable code could calculate a hash over the wrong bytes and then discard that result in some cases, opening a path to forged authentication cookies and other protected payloads. (devblogs.microsoft.com) (github.com) Microsoft’s advisory says the primary affected setup is an app that loaded `Microsoft.AspNetCore.DataProtection` 10.0.6 at runtime and ran on Linux, macOS, or another non-Windows operating system. A second affected setup covers apps or libraries that used versions 10.0.0 through 10.0.6 through `net462` or `netstandard2.0` assets, including projects targeting newer runtimes such as.NET 8 or.NET 9. (github.com) That distinction matters because many developers do not reference Data Protection directly. Microsoft said the package can arrive transitively through add-ons such as the Redis, Azure Storage, Azure Key Vault, and Entity Framework Core integrations, so teams have to check what actually loaded in production, not just what they intended to use. (github.com) Patching alone does not close every door the bug may have opened. Microsoft said that if an attacker used a forged payload during the vulnerable window to get a real session refresh, password-reset link, or application programming interface key, that legitimately signed token can stay valid after the upgrade unless the Data Protection key ring is rotated. (github.com) The fix also requires more than updating a base machine image. Microsoft told customers to move to package version 10.0.7, verify the install with `dotnet --info`, and rebuild and redeploy applications with updated packages or containers. (devblogs.microsoft.com) The timing is unusually tight because Microsoft said the bug was introduced in the April 14, 2026 Patch Tuesday release, version 10.0.6, and then corrected one week later. The company’s support table now lists.NET 10’s latest patch as 10.0.7, released April 21, 2026. (devblogs.microsoft.com) (dotnet.microsoft.com) For teams running cross-platform ASP.NET Core services, the checklist is short and specific: find any app that loaded the vulnerable package, rebuild on 10.0.7, redeploy, and rotate the key ring so old forged access cannot linger. Microsoft’s own advisory compares the bug’s capability to the 2010 ASP.NET padding-oracle issue known as MS10-070, a reminder that broken token validation can outlast the patch that fixes it. (github.com)