MicrosoftAspNetCoreDataProtection, Elevation of Privilege, CVE-2026-40372 (Critical)

Listen to this Post

How CVE-2026-40372 works:

The vulnerability resides in the authenticated encryption routine of `Microsoft.AspNetCore.DataProtection` NuGet packages versions 10.0.0 through 10.0.6. The bug is an improper cryptographic signature verification (CWE-347). Specifically, the HMAC tag validation logic contains a flaw where a ciphertext bearing an all-zero HMAC tag is incorrectly accepted as valid. Under normal operation, the decryption routine would reject any tampered payload; however, the broken validation allows an attacker to submit specially crafted ciphertexts. By observing the application’s behavior (e.g., timing differences or error messages), the attacker can perform a padding-oracle attack – similar to MS10-070. This enables two critical primitives: first, decryption of arbitrary protected payloads (such as authentication cookies, anti-forgery tokens, or state parameters); second, forging new valid ciphertexts, including authentication cookies that impersonate any user. Because the affected code runs on Linux, macOS, and non-Windows systems (or any platform when using net462/netstandard2.0 assets), the attacker can remotely send malicious requests without authentication. Successful exploitation yields valid signed tokens for a privileged account, leading to elevation of privilege. The attacker can then induce the application to issue legitimate session refresh tokens, API keys, password reset links, or other long-lived artifacts. After upgrading to 10.0.7, forged all-zero HMAC payloads are rejected, but any tokens issued during the vulnerable window remain valid unless the DataProtection key ring is rotated.

dailycve form:

Platform: ASP.NET Core
Version: 10.0.0-10.0.6
Vulnerability: Signature verification bypass
Severity: Critical (9.1)
date: 2026-04-21

Prediction: Patch date 2026-04-21

What Undercode Say:

Analytics

Check installed Microsoft.AspNetCore.DataProtection version
dotnet list package --include-transitive | grep Microsoft.AspNetCore.DataProtection
Detect vulnerable runtime load (Linux/macOS)
grep -r "Microsoft.AspNetCore.DataProtection, Version=10.0." /app/bin/
Simulate affected condition: no Microsoft.AspNetCore.App reference
dotnet new console && dotnet add package Microsoft.AspNetCore.DataProtection -v 10.0.6
Rotate DataProtection keys (C code snippet)
dotnet run --project KeyRotation.cs

How Exploit:

  1. Capture a protected payload (e.g., authentication cookie) from the target.
  2. Modify the ciphertext and set its HMAC tag to all zeros.
  3. Send the manipulated payload to any endpoint that decrypts it (login, antiforgery, state parameter).
  4. Observe padding oracle side-channels (timing/error differences) to recover plaintext.
  5. Forge a valid ciphertext for a privileged user with all-zero HMAC.
  6. Use the forged cookie to authenticate as admin and request refresh tokens.

Protection from this CVE

  • Upgrade `Microsoft.AspNetCore.DataProtection` to 10.0.7 or later.
  • Rotate the DataProtection key ring using `RevokeAllKeys` or RevokeKey.
  • If on Windows or using shared framework ≥10.0.6, you are not affected.
  • Audit and rotate long-lived artifacts issued during the vulnerable window (API keys, refresh tokens, password reset links).
  • Review web logs for high-volume anomalous requests to protected endpoints.

Impact:

Elevation of Privilege (9.1 Critical). Attacker gains ability to decrypt any protected payload, forge authentication cookies, impersonate any user, and induce the application to issue legitimately-signed tokens (session, API keys, password resets). Confidentiality and integrity are fully compromised; availability is not affected. Persistent tokens survive patching unless key ring is rotated.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top