The Critical 9.1 Flaw in ASP.NET Core that Turns Cookies into Master Keys

An unforeseen regression within a software update has inadvertently caused a security mechanism to serve as a gateway for adversaries. In a decisive response, Microsoft has disseminated emergency remediations to rectify a formidable vulnerability within the ASP.NET Core framework.

The flaw, designated as CVE-2026-40372 and carrying a critical CVSS score of 9.1, resided within the Data Protection cryptographic interfaces. This vulnerability empowered unauthenticated attackers to elevate their privileges to SYSTEM level by merely forging authentication cookies and circumventing identity verification protocols.

The malfunction surfaced amidst a wave of user grievances; following the deployment of the .NET 10.0.6 update, applications began to falter during data decryption. Forensic analysis traced the root cause to a regression in Microsoft.AspNetCore.DataProtection (versions 10.0.0 through 10.0.6). The integrity verification mechanism was erroneously calculating signatures based on invalid telemetry or, in certain instances, disregarding the verification results entirely.

Consequently, the defensive perimeter mistakenly validated fraudulent data as legitimate. An assailant could not only exfiltrate previously shielded information—such as session cookies, anti-forgery tokens, or authorization parameters—but also fabricate entirely new entries. By successfully impersonating a privileged entity, the adversary could compel the system to generate authentic tokens, including access keys, password reset links, or session refreshers. Crucially, these tokens may remain functional even post-remediation unless the underlying encryption keys are rotated. While the vulnerability facilitates unauthorized data modification and file access, it does not compromise systemic availability.

Microsoft urgently advocates for the immediate elevation of the Microsoft.AspNetCore.DataProtection package to version 10.0.7 and the subsequent redeployment of affected applications. Upon updating, the system will autonomously reject any forged payloads. Furthermore, it is prudent to rotate master security keys to invalidate any clandestine tokens that may have been generated prior to the fix.