Microsoft Issues Emergency Patch for ASP.NET Core DataProtection Key Exposure — CVE-2026-40372

Microsoft released an out-of-band .NET 10.0.7 update on 21–22 April 2026 to address CVE-2026-40372, a CVSS 9.1 critical security regression in the Microsoft.AspNetCore.DataProtection NuGet package. The flaw was silently introduced in .NET 10.0.0 and remained undetected through .NET 10.0.6, meaning any ASP.NET Core application that upgraded to .NET 10 since its November 2025 general availability release may have been operating with compromised session security for up to five months.

What Happened

The Microsoft.AspNetCore.DataProtection library is the cryptographic backbone of ASP.NET Core’s session management infrastructure. It generates, stores, and manages the encryption keys that protect cookie authentication tickets, anti-forgery tokens, and TempData payloads — the mechanisms by which web applications verify that a user is who they claim to be from one request to the next.

In .NET 10.0.0 through 10.0.6, a regression in the library’s Linux key storage logic causes DataProtection to write encryption key material to world-readable file system paths, or to log it to standard output, depending on deployment configuration. On Linux hosts — including containerised deployments on Kubernetes, Azure Container Apps, and similar platforms — the storage provider does not enforce restricted file permissions when no explicit key repository is configured. Keys generated since upgrade to .NET 10 may be accessible to any local process, or may have been harvested already from container stdout aggregated into centralised observability platforms.

Windows deployments are substantially less affected because DPAPI-backed key storage enforces machine-scope access controls regardless of file system permissions. The vulnerability is highest-impact on Linux and containerised environments with default key storage configuration.

Why It Matters

DataProtection keys are the root of trust for session security in ASP.NET Core. An attacker who obtains these keys can:

• Forge authentication cookies — crafting valid session tokens for any user, including administrators, without credentials
• Bypass anti-forgery validation — enabling CSRF attacks against protected state-changing operations
• Decrypt TempData payloads — reading any encrypted data passed between requests

Because the regression has been present since November 2025, applications running on .NET 10 for the full period should treat all DataProtection keys as potentially compromised. Any centralised log aggregation platform (Splunk, Elastic, Datadog, Azure Monitor) that ingested container stdout during the affected period may contain key material.

Affected Versions

Recommended Actions

• Patch immediately: Update all ASP.NET Core applications to .NET 10.0.7 via dotnet update or by pulling updated base images for containerised deployments.
• Rotate DataProtection keys: After patching, invalidate all existing keys and issue fresh ones. In Kubernetes, delete the DataProtection key ConfigMap or Secret and force a rolling restart.
• Audit key storage configuration: Confirm that SetApplicationName() and an explicit key repository (PersistKeysToFileSystem, PersistKeysToAzureBlobStorage, etc.) are configured. Default filesystem storage on Linux during the affected period should be treated as compromised.
• Review logs for key material: Search centralised logs for DataProtection key XML patterns (<key id= or <encryptedKey>) that may have been emitted to stdout between November 2025 and the patch date.
• Invalidate active sessions: Applications that cannot confirm key confidentiality since the .NET 10.0.0 upgrade should force re-authentication for all users as a precaution.

Broader Context

Security regressions in cryptographic primitive libraries are particularly dangerous because they undermine protections silently — applications continue to function normally while the security guarantee is absent. Unlike a new feature with a known attack surface, a regression in DataProtection produces no visible error. Teams auditing the .NET 10 upgrade path should verify that dependencies on the DataProtection subsystem were tested against key confidentiality requirements, not only functional correctness. The absence of error output is not evidence of secure operation.