CVE-2026-40372: ASP.NET Core Elevation of Privilege Vulnerability

ASP.NET Core utilizes the Microsoft.AspNetCore.DataProtection library to secure sensitive application state. This framework component provides cryptographic APIs for generating and validating authentication cookies, anti-forgery tokens, and temporary session artifacts. The default configuration on non-Windows platforms relies on a managed implementation of authenticated encryption.

CVE-2026-40372 represents a critical logic flaw within this managed encryption provider. Specifically, the vulnerability resides in the cryptographic signature verification routine of the ManagedAuthenticatedEncryptor class. The flaw allows unauthorized attackers to bypass integrity checks by submitting a forged payload with a specific HMAC structure.

Successful exploitation results in a complete bypass of the application's authentication boundary. Attackers can forge administrative tokens and assume elevated privileges without prior credentials. The vulnerability carries a CVSS v3.1 base score of 9.1, reflecting its network-routable nature and severe impact on application integrity.

The core vulnerability is located in the CalculateAndValidateMac method within the Microsoft.AspNetCore.DataProtection.Managed namespace. This method is responsible for computing a cryptographic hash of the incoming payload and comparing it against the hash appended by the sender. The implementation in versions 10.0.0 through 10.0.6 contains a fatal logic error during this validation phase.

Data protection payloads follow a strict binary format consisting of a version header, key identifier, initialization vector, ciphertext, and an HMAC. During the unprotect operation, the framework extracts the key identifier to retrieve the correct validation subkey. The framework then recalculates the HMAC over the preceding payload components and performs a comparison against the appended HMAC bytes.

The flaw manifests when the appended HMAC within the attacker-controlled payload consists entirely of null bytes (0x00). The underlying comparison logic incorrectly evaluates this specific byte sequence as a match, regardless of the actually computed HMAC value. This behavior completely nullifies the integrity guarantees of the authenticated encryption scheme.

Cryptographic signature verification requires constant-time comparison functions to prevent timing attacks and ensure strict byte-for-byte equality. The vulnerable implementation of CalculateAndValidateMac deviated from standard cryptographic practices by introducing conditional logic that mishandled zero-valued buffers.

While the exact patch diff involves internal framework optimizations, the conceptual error involves an improper fast-path exit or a flawed memory span comparison. When the attacker supplies a 32-byte sequence of zeros for the HMAC-SHA256 signature, the validation routine returns a boolean true instead of rejecting the mismatch.

// Conceptual representation of the flawed logic
public bool CalculateAndValidateMac(ReadOnlySpan<byte> payload, ReadOnlySpan<byte> providedHmac)
{
    Span<byte> computedHmac = stackalloc byte[32];
    ComputeHmac(payload, computedHmac);
    
    // VULNERABILITY: Incorrect validation logic allows all-zero providedHmac to pass
    if (IsAllZeros(providedHmac)) {
        return true; 
    }
    
    return CryptographicOperations.FixedTimeEquals(computedHmac, providedHmac);
}

The remediation in version 10.0.7 removes this defective logic. The patched framework mandates a strict, unconditional constant-time comparison between the computed HMAC and the provided HMAC. This ensures that any deviation, including an all-zero sequence, correctly results in a CryptographicException and halts the unprotect operation.

Exploitation of CVE-2026-40372 requires no prior authentication and operates entirely over the network. The attacker first obtains a valid DataProtection payload from the target application. This artifact is typically an authentication cookie issued to a low-privileged or anonymous user session.

The attacker decodes the Base64-encoded cookie to access the binary payload. By manipulating the ciphertext segment, the attacker alters the embedded claims. Common targets include modifying the NameIdentifier claim or elevating the Role claim to administrative values. Since the underlying encryption is often AES-CBC without integrity, modifying the ciphertext requires compensating for CBC bit-flipping mechanics or exploiting application-level padding oracles.

Once the ciphertext is modified, the attacker overwrites the final 32 bytes of the payload—the HMAC section—with null bytes (0x00). The reassembled payload is Base64-encoded and transmitted back to the application via an HTTP request header or cookie value.

The target application processes the request and invokes the Unprotect method. The flawed CalculateAndValidateMac routine encounters the null-byte HMAC and incorrectly returns a validation success. The application decrypts the modified claims, instantiates a new principal object, and grants the attacker elevated access based on the forged identity.

The exploitation of this vulnerability leads to total application compromise. An attacker can persistently impersonate any user within the system, access sensitive data, and execute administrative functions. The integrity and confidentiality of the application are entirely broken.

The exposure is primarily limited to environments utilizing the managed encryptor. Linux and macOS deployments of ASP.NET Core applications default to this managed implementation, rendering them inherently vulnerable. Applications hosted on Windows architectures typically leverage Cryptography Next Generation (CNG) and remain unaffected unless explicitly configured to use the managed provider.

> [!NOTE] > The vulnerability is specific to the .NET 10 release cycle. Applications running .NET 8.0 or .NET 9.0 utilize earlier implementations of the DataProtection library and do not contain this specific logic flaw.

Organizations must immediately upgrade the Microsoft.AspNetCore.DataProtection package to version 10.0.7 or later. For applications relying on the shared framework, upgrading the .NET 10 runtime environment to the corresponding patched release is required. This action neutralizes the core vulnerability and prevents the framework from accepting zero-byte HMACs.

Upgrading the binaries is insufficient to fully remediate the environment. Because the vulnerability allows attackers to forge tokens using existing valid keys, administrators must proactively invalidate the current cryptographic key ring. Failing to rotate keys permits previously forged tokens to remain valid until their natural expiration.

Key revocation is accomplished via the IKeyManager interface. Administrators should deploy a temporary application update or run a management script that invokes RevokeAllKeys, specifying a revocation date and the CVE identifier as the reason. This forces the application to generate a new master key for future encryption operations.

var keyManager = services.GetRequiredService<IKeyManager>();
keyManager.RevokeAllKeys(
    revocationDate: DateTimeOffset.UtcNow,
    reason: "CVE-2026-40372: DataProtection 10.0.6 validation bypass");

Following key revocation, all active user sessions will be invalidated, requiring users to re-authenticate. Organizations should also audit access logs for anomalous endpoint usage during the vulnerable window.