Microsoft Issues Emergency Fixes for Critical ASP.NET Core Vulnerability

April 22, 2026 Faeem BLOGS, MICROSOFT 0

Overview Microsoft has released out‑of‑band (OOB) security updates to patch a critical flaw in ASP.NET Core Data Protection APIs. The vulnerability, tracked as CVE‑2026‑40372, could allow unauthenticated attackers to escalate privileges to SYSTEM by forging authentication cookies.

Key Highlights

  • Vulnerability: Regression in Microsoft.AspNetCore.DataProtection (versions 10.0.0–10.0.6).
  • Impact:
    • Broken HMAC validation allows forged payloads to pass authenticity checks.
    • Attackers can decrypt previously protected payloads (auth cookies, antiforgery tokens, TempData, OIDC state).
    • Forged payloads could grant privileged access and issue legitimate tokens (API keys, password reset links).
  • Persistence Risk: Tokens issued during the vulnerable window remain valid even after upgrading unless the DataProtection key ring is rotated.
  • Discovery: Microsoft identified the flaw after user reports of decryption failures following the April Patch Tuesday update.

Technical Breakdown

  • Root Cause: HMAC validation tag computed over incorrect payload bytes and discarded in some cases.
  • Affected Components: Authentication cookies, antiforgery tokens, TempData, OIDC state.
  • Exploitation Path: Forged payloads → privileged authentication → issuance of legitimate tokens.
  • Severity: Privilege escalation to SYSTEM; attacker can disclose files and modify data but cannot impact availability.

Risks to Enterprises

  • Privilege Escalation: Attackers can impersonate privileged users.
  • Token Persistence: Forged tokens remain valid post‑patch unless key rotation occurs.
  • Data Exposure: Potential disclosure of sensitive files and modification of application data.
  • Operational Disruption: Applications relying on Data Protection APIs may fail authentication checks.

Guidance for IT Administrators

  • Update Immediately: Upgrade to Microsoft.AspNetCore.DataProtection version 10.0.7.
  • Redeploy Applications: Ensure validation routines reject forged payloads.
  • Rotate Key Rings: Invalidate previously issued forged tokens.
  • Audit Applications: Review authentication flows for anomalies.
  • Monitor Security Advisories: Track Microsoft’s ongoing updates for ASP.NET Core.

Final Thought

CVE‑2026‑40372 underscores the critical role of cryptographic integrity in web frameworks. A single regression in Data Protection APIs exposed enterprises to SYSTEM‑level privilege escalation. For defenders, the lesson is clear: patch quickly, rotate keys, and audit authentication flows to prevent attackers from exploiting lingering forged tokens.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.