Microsoft patches critical ASP.NET Core data-protection flaw to curb cookie forgery

April 22, 2026 at 08:07 PM

•

1 min read

Microsoft patches critical ASP.NET Core data-protection flaw to curb cookie forgery — Photo: BleepingComputer

TL;DR Summary

Microsoft released out-of-band security updates for a critical ASP.NET Core Data Protection vulnerability (CVE-2026-40372) that could let unauthenticated attackers forge authentication cookies and gain SYSTEM privileges. The flaw comes from a regression in the 10.0.0–10.0.6 NuGet packages, which could cause forged payloads to bypass authenticity checks; upgrading to 10.0.7 and redeploying with a rotated DataProtection key ring fixes the issue. This follows April’s Patch Tuesday and includes additional out-of-band Windows Server fixes. No service disruption is reported, but applications using DataProtection should update promptly to prevent token forgery and data exposure.

Topics:technology #aspnet-core #cve-2026-40372 #data-protection #out-of-band #patch-management #security

Share this article

Microsoft releases emergency patches for critical ASP.NET flaw BleepingComputer
Microsoft issues emergency update for macOS and Linux ASP.NET threat Ars Technica
Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug The Hacker News
Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET Core csoonline.com
Microsoft releases emergency out-of-band .NET update to patch severe bug Neowin

Reading Insights

Total Reads

Unique Readers

Time Saved

3 min

vs 4 min read

Condensed

86%

667 → 91 words

Want the full story? Read the original article

Read on BleepingComputer

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights