https://hackingpassion.com/tags/cve-2026-40372/Recent content in CVE 2026 40372 on HackingPassion.com : root@HackingPassion.com-[~]HugoenWed, 22 Apr 2026 13:17:50 +0200https://hackingpassion.com/aspnet-core-dataprotection-hmac-cve-2026-40372/Wed, 22 Apr 2026 13:17:50 +0200https://hackingpassion.com/aspnet-core-dataprotection-hmac-cve-2026-40372/<p>The security fix Microsoft shipped in 2010 to stop attackers from decrypting ASP.NET traffic and forging authentication cookies just got quietly broken by a regression in .NET 10. <code>Microsoft.AspNetCore.DataProtection 10.0.6</code> shipped on <strong>April 14, 2026</strong>. One week later, on <strong>April 21</strong>, Microsoft released <strong>10.0.7</strong> out of band with the fix. In those seven days, any Linux or macOS server running 10.0.6 may have handed out real, signed login tokens to attackers, and <strong>those tokens still work after the patch unless the key ring is rotated.</strong> 😏</p>