.NET 10.0.7 Ships Out-of-Band to Fix CVE-2026-40372 in ASP.NET Core Data Protection

Microsoft shipped .NET 10.0.7 out-of-band today to patch CVE-2026-40372, an elevation-of-privilege bug in Microsoft.AspNetCore.DataProtection that affects every 10.0.x release from 10.0.0 through 10.0.6. If you run ASP.NET Core on the 10.0 LTS line, this is not a “wait for Patch Tuesday” update. Antiforgery tokens, auth cookies, TempData, and anything else routed through IDataProtector lives on top of this component, so the blast radius covers most ASP.NET Core apps in production.

How the HMAC got computed over the wrong bytes

ASP.NET Core Data Protection uses authenticated encryption: ciphertexts carry a HMAC validation tag that the framework checks on every Unprotect call. The managed implementation in ManagedAuthenticatedEncryptor was computing that tag over the wrong slice of the payload and then discarding the computed hash, which means the validation step was not actually validating the bytes the attacker controls. That breaks the integrity promise of the construction and opens the door to forged tokens being accepted as genuine.

The regression was introduced alongside a separate breaking change in the 10.0.6 servicing release. Users hit CryptographicException: The payload was invalid. when trying to decrypt data that had been protected on 10.0.5 or earlier, with the error surfacing inside ManagedAuthenticatedEncryptor.CalculateAndValidateMac. While the team was chasing the decryption regression tracked in aspnetcore#66335, they found the deeper HMAC bug, hence the out-of-band release instead of rolling it into May servicing.

The two-layer blast radius

Data Protection is wired into almost every framework service that needs to round-trip opaque state to the client:

// Antiforgery, auth cookies, TempData, BearerToken, OpenIdConnect state,
// and your own IDataProtector consumers all flow through the same pipeline.
builder.Services.AddDataProtection()
    .PersistKeysToFileSystem(new DirectoryInfo(@"/var/keys"))
    .ProtectKeysWithCertificate(cert);

public class TokenService(IDataProtectionProvider provider)
{
    private readonly IDataProtector _protector =
        provider.CreateProtector("TokenService.v1");

    public string Protect(string userId) => _protector.Protect(userId);
    public string Unprotect(string token) => _protector.Unprotect(token); // trusts the MAC
}

On 10.0.0 through 10.0.6, Unprotect is the weak link. A crafted payload could pass the validation check because the encryptor was not hashing the bytes it claimed to be hashing. Combined with the 10.0.6 decryption regression, operators were left with a choice between a broken app or a vulnerable one. 10.0.7 removes that choice.

What to do before you close the tab

Update the runtime and the package together. The runtime ships the in-box encryptor, and the NuGet package ships the contract for apps that reference it directly.

# 1. Install the 10.0.7 SDK or runtime from the download page,
#    then verify:
dotnet --info

# 2. Bump the package if your project pins it explicitly:
dotnet add package Microsoft.AspNetCore.DataProtection --version 10.0.7

# 3. Rebuild and redeploy. Existing key rings stay valid; this fix
#    does not force a key rotation.

A few operational notes. If you deployed 10.0.6 and users started hitting CryptographicException: The payload was invalid., 10.0.7 restores compatibility with ciphertexts written by 10.0.5 and earlier, so the decryption regression unblocks at the same time. Framework-dependent apps pick up the fix when the host runtime is updated, but self-contained or AOT-published apps need a rebuild against 10.0.7. If you are on 9.0.x or 8.0.x, you are not affected by this CVE, but the April 2026 servicing cycle still applies.

Out-of-band .NET releases are rare. This one is narrower in scope than CVE-2025-55315, the request-smuggling bug from last autumn, because exploitation needs code that calls Unprotect on attacker-influenced input. That still describes essentially every authenticated ASP.NET Core app. Patch today.