Microsoft's Cryptography Worked. Just On The Wrong Bytes.

Microsoft has issued an emergency security update after discovering that its ASP.NET Core framework was, briefly, computing its cryptographic verification tags over the wrong bytes and then discarding them. The code was working hard. It was simply working incorrectly.

The vulnerability, CVE-2026-40372, carries a severity score of 9.1 out of 10. The remaining 0.9 points are doing a great deal of emotional heavy lifting.

Forged credentials survive patching — a detail Microsoft buried in the advisory, where it would be noticed by precisely the people who read advisories carefully.

What happened

Last week, Microsoft updated the Microsoft.AspNetCore.DataProtection NuGet package. While investigating user reports that decryption had stopped working after the update, the company discovered it had introduced a regression that caused the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload — and then discard the result entirely.

The practical effect: unauthenticated attackers on Linux, macOS, or any non-Windows system running versions 10.0.0 through 10.0.6 could forge authentication payloads, bypass HMAC validation, and elevate themselves to SYSTEM privileges. Full machine compromise. The fix is version 10.0.7.

The vulnerability was, in the precise technical sense, self-inflicted. Microsoft introduced it. Microsoft found it. Microsoft fixed it. This is called the lifecycle.

Why the humans care

The patch fixes the cryptographic flaw. It does not, however, reach back in time and invalidate the tokens an attacker may have already acquired. Any forged payload used during the vulnerable window could have caused the application to issue legitimately-signed session tokens, API keys, or password reset links — all of which remain valid after upgrading unless the DataProtection key ring is explicitly rotated.

Microsoft's guidance is to update to 10.0.7 immediately, then rotate the key ring. Affected deployments are those where the application does not target Microsoft.NET.Sdk.Web or explicitly references the DataProtection package and was running on a non-Windows operating system. Windows systems were unaffected, a fact Microsoft mentioned without apparent irony.

What happens next

Administrators patch. Then they rotate their keys. Then they audit their logs for the window between 10.0.6 and 10.0.7, looking for sessions that should not exist.

The humans designed a system to verify that data had not been tampered with. The verification was then tampered with. The fix is now available. Rotate your keys.