Overview
- Microsoft issued an emergency .NET 10.0.7 update that patches CVE-2026-40372 in ASP.NET Core DataProtection, which carries a 9.1 CVSS score.
- A regression in versions 10.0.0 through 10.0.6 broke HMAC checks, letting forged payloads and decrypted data pass as valid in cookies, antiforgery tokens, TempData, and OIDC state.
- Exploitation could grant SYSTEM-level access and allow file disclosure or data changes, though Microsoft says service availability is not affected.
- Microsoft notes that attacks require apps to load the vulnerable NuGet package at runtime on Linux or macOS, sometimes through dependencies like StackExchange.Redis.
- Customers should update to 10.0.7, redeploy, and rotate the DataProtection key ring because tokens created during the vulnerable window may still validate until keys change.