What Happened
Microsoft released an emergency out-of-band security update on April 21, 2026, to address CVE-2026-40372, a critical elevation-of-privilege vulnerability in the ASP.NET Core Data Protection cryptographic APIs. The flaw carries a CVSS base score of 9.1 and affects the Microsoft.AspNetCore.DataProtection NuGet package, versions 10.0.0 through 10.0.6.
The root cause is an incorrect implementation of Hash-based Message Authentication Code (HMAC) verification in the managed authenticated encryptor. An unauthenticated remote attacker who understands the flaw is able to forge authentication cookies ASP.NET Core applications accept as valid, effectively bypassing authentication and gaining the privileges of the application process — which on Linux systems often runs as root or SYSTEM. Microsoft’s advisory notes the fix shipped in ASP.NET Core 10.0.7 and was confirmed by the .NET team’s GitHub announcement. The vulnerability was reported by The Hacker News and detailed in the dotnet announcements repository.
Why This Matters for Canadian Organizations
ASP.NET Core is among the most widely deployed web frameworks in Canadian enterprise, government, and public sector environments. Organizations running .NET 10 on Linux — including containerized deployments on Azure, AWS, or on-premises Kubernetes clusters — are directly affected. The vulnerability is especially significant for any application using cookie-based authentication, session management, or data protection tokens, which covers the vast majority of ASP.NET Core web applications.
The Linux-specific nature of this flaw is notable. Many Canadian organizations have accelerated their migration of .NET workloads to Linux containers for cost and performance reasons. Security teams accustomed to applying Windows patches on Patch Tuesday timelines will need to treat this as an immediate priority for their container registries and Linux application servers.
Under PIPEDA, organizations holding personal information in systems vulnerable to authentication bypass face breach notification obligations if an attacker used the flaw to access customer data. The out-of-band timing — a week after April Patch Tuesday — signals the severity Microsoft assigned to the risk. Canadian Security Establishment (CSE) and CCCS typically align with Microsoft advisories of this severity and will expect federal departments to remediate promptly.
What to Do
Update all .NET 10 applications to ASP.NET Core 10.0.7 immediately. In containerized environments, rebuild and redeploy all container images built on the affected NuGet package versions. Check your application’s dependency tree for any transitive inclusion of Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6. Applications on .NET 8 or .NET 9 are not affected by this specific flaw. Monitor authentication logs for anomalous session establishment patterns predating the patch window, as this class of vulnerability leaves no obvious indicators of compromise once exploited.
