Microsoft issues out-of-band patch for ASP.NET Core flaw
🔒 Microsoft released an out-of-band fix after an April 14 .NET update (10.0.6) introduced a critical regression in the ASP.NET Core Data Protection NuGet package (CVE-2026-40372, CVSS 9.1). A bug in the ManagedAuthenticatedEncryptor caused HMAC validation tags to be computed with an incorrect offset, allowing forged cookies and tokens to be treated as valid. Developers should upgrade to 10.0.7, rebuild embedded apps (including Docker images), expire affected cookies and tokens, and rotate protection keys to remove potential forgeries.
