You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
cve 2026-40372
About this tag
CVE-2026-40372 is a security vulnerability affecting ASP.NET Core Data Protection. The issue specifically impacts applications using Microsoft.AspNetCore.DataProtection version 10.0.6 from NuGet when running on Linux, macOS, or other non-Windows platforms. A key concern is that teams may assume they are protected by the shared framework, but the NuGet copy could be the one executing at runtime. Microsoft's advisory provides clear exposure criteria and guidance for verification. Discussions on WindowsForum.com cover how to identify if your deployment is affected and steps to mitigate the risk, including runtime checks to confirm which Data Protection assembly is loaded.
The vulnerability in CVE-2026-40372 is the kind of ASP.NET Core issue that hides in plain sight: many teams will see the package in their dependency graph, assume they are covered by the shared framework, and miss the fact that the NuGet copy may be the one actually executing at runtime...