{"id":7898,"date":"2026-04-22T18:37:28","date_gmt":"2026-04-22T18:37:28","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7898"},"modified":"2026-04-22T18:37:28","modified_gmt":"2026-04-22T18:37:28","slug":"microsoft-issues-out-of-band-patch-for-critical-security-flaw-in-update-to-asp-net-core","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7898","title":{"rendered":"Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET Core"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Developers are advised to check their applications after Microsoft revealed that last week\u2019s ASP.NET Core update inadvertently introduced a serious security flaw into the web framework\u2019s Data Protection Library.<\/p>\n<p>Microsoft describes the issue as a \u201cregression,\u201d coding jargon for an update that breaks something that was previously working correctly.<\/p>\n<p>In this case, what was introduced was a CVSS 9.1-rated critical vulnerability, identified as <a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-40372\" target=\"_blank\" rel=\"noopener\">CVE-2026-40372<\/a>, that affects ASP.NET\u2019s Core Data Protection application library distributed via the NuGet package manager. It impacts Linux, macOS and other non-Windows OSes, as well as Windows systems where the developer explicitly opted into managed algorithms via the <em>UseCustomCryptographicAlgorithms<\/em> API.<\/p>\n<p>A bug in the .NET 10.0.6 package, released as part of the Patch Tuesday updates on April 14, causes the <em>ManagedAuthenticatedEncryptor <\/em>library to compute the validation tag for the Hash-based Message Authentication Code (HMAC) using an incorrect offset.<\/p>\n<p>Incorrect calculation of security hashes results in the <em>.AspNetCore<\/em> application cookies and tokens being validated and trusted when they shouldn\u2019t be.<\/p>\n<p>\u201cIn these cases, the broken validation could allow an attacker to forge payloads that pass DataProtection\u2019s authenticity checks, and to decrypt previously-protected payloads in auth cookies, anti-forgery tokens, TempData, OIDC state, etc,\u201d said <a href=\"https:\/\/github.com\/dotnet\/core\/blob\/main\/release-notes\/10.0\/10.0.7\/10.0.7.md#notable-changes\" target=\"_blank\" rel=\"noopener\">Microsoft\u2019s GitHub advisory<\/a>.<\/p>\n<p>When embedded in applications, these long-lived tokens confer the sort of power attackers quickly jump on. \u201cIf an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves,\u201d the advisory noted.<\/p>\n<p>This vulnerability arrives only six months after ASP.NET suffered one of its worst ever flaws, October\u2019s <a href=\"https:\/\/www.csoonline.com\/article\/4074590\/critical-asp-net-core-vulnerability-earns-microsofts-highest-ever-severity-score.html\" target=\"_blank\" rel=\"noopener\">CVSS 9.9-rated CVE-2025-55315<\/a> in the Kestrel web server component. But somewhat alarmingly, the current advisory goes on to compare the issue to <a href=\"https:\/\/learn.microsoft.com\/en-us\/security-updates\/securitybulletins\/2010\/ms10-070\" target=\"_blank\" rel=\"noopener\">MS10-070<\/a>, an emergency patch for CVE-2010-3332, an infamous zero-day vulnerability in the way Windows ASP.NET handled cryptographic errors that caused a degree of panic in 2010.<\/p>\n<h2 class=\"wp-block-heading\">Not a simple update<\/h2>\n<p>Normally, when flaws are uncovered, the drill involves merely applying an update, workaround, or mitigation. In this case, the update itself should have already happened automatically for server builds, taking runtimes to the patched version 10.0.7.<\/p>\n<p>However, for developers using the popular Docker container platform, things are more complicated. For those projects, the Data Protection Library is also embedded in built applications. Addressing this requires updating and rebuilding any ASP.NET Core applications created after the April 14 update.<\/p>\n<p>In addition, those using 10.0.x on the <em>netstandard2.0 <\/em>or <em>net462<\/em> target framework asset from the flawed NuGet package, for compatibility with older operating systems including Windows, are also affected.<\/p>\n<h2 class=\"wp-block-heading\">Detecting affected binaries<\/h2>\n<p>How will developers know if a vulnerable binary has been loaded? Microsoft\u2019s <a href=\"https:\/\/msrc.microsoft.com\/update-guide\/vulnerability\/CVE-2026-40372\" target=\"_blank\" rel=\"noopener\">security advisory<\/a> offers the following advice:<\/p>\n<p>\u201cCheck application logs. The clearest symptom is users being logged out and repeated <em>The payload was invalid <\/em>errors in your logs after upgrading to 10.0.6. Check your project file. Look for a PackageReference to <em>Microsoft.AspNetCore.DataProtection<\/em> version 10.0.6 in your .csproj file (or in a package that depends on it). You can also run dotnet list package to see resolved package versions.\u201d<\/p>\n<p>In summary, developers should rebuild affected applications to apply the fixed version, expire all affected authentication cookies and tokens to remove forgeries, and rotate to apply new ASP.NET Core Data Protection tokens.<\/p>\n<p>While there is no evidence that the issue has been exploited by attackers, good security hygiene mandates also checking for unexpected or unusual logins failures, errors, or authentication failures, Microsoft advised.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Developers are advised to check their applications after Microsoft revealed that last week\u2019s ASP.NET Core update inadvertently introduced a serious security flaw into the web framework\u2019s Data Protection Library. Microsoft describes the issue as a \u201cregression,\u201d coding jargon for an update that breaks something that was previously working correctly. In this case, what was introduced [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7899,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7898","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7898"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7898"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7898\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7899"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7898"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7898"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7898"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}