Improper Verification of Cryptographic Signature Affecting microsoft.aspnetcore.dataprotection package, versions [10.0.0,10.0.7)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DOTNET-MICROSOFTASPNETCOREDATAPROTECTION-16120185
- published22 Apr 2026
- disclosed20 Apr 2026
- creditUnknown
Introduced: 20 Apr 2026
NewCVE-2026-40372 (opens in a new tab)How to fix?
Upgrade Microsoft.AspNetCore.DataProtection to version 10.0.7 or higher.
Overview
Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature in the managed authenticated encryptor while computing HMAC validation tag. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
Note:
Shared framework deployments are not affected. If your application runs framework-dependent and the installed ASP.NET Core shared framework version is ≥ your Microsoft.AspNetCore.DataProtection PackageReference version, the correct shared framework binary is loaded and the NuGet binary is never used.
Windows deployments are not affected. On Windows, DataProtection uses CNG-based encryptors by default, which do not contain this bug. 8.0.x and 9.0.x packages are not affected. The defective code path was introduced during 10.0 development and was never backported.
Windows with managed algorithms: If you run on Windows but explicitly opted into managed algorithms via UseCustomCryptographicAlgorithms, you are also affected.
Older target frameworks: A smaller population running net462 / netstandard2.0 with Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 is affected on all operating systems.