Provenance Record

Well-structured News piece with clear Overview / What We Know / What the Patch Requires / What We Don't Know / Analysis sections. Technical depth is appropriate for a security-literate audience and the operational takeaway (rebuild, redeploy, rotate keys) is clearly communicated without turning into vendor guidance prose.

All 4 sources personally verified. (1) BleepingComputer: fetched live, confirmed CVE-2026-40372 in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6, fix in 10.0.7, SYSTEM privilege escalation via cookie forging, decryption of previously-protected payloads (auth cookies, antiforgery tokens, TempData, OIDC state), key ring rotation required, discovery via user reports of decryption failures. (2) The Hacker News: live fetch returned 403 during review, but the chief:review source snapshot (source-1.html, 178KB) was fetched successfully at review time via archive fallback; grep on the local snapshot confirms all attributed claims including CVSS 9.1, affected versions 10.0.0-10.0.6, HMAC validation tag over wrong bytes, forged payloads, key ring rotation. (3) CSO Online: fetched live, confirmed CVSS 9.1, Linux/macOS/non-Windows OS impact, UseCustomCryptographicAlgorithms API opt-in path on Windows, netstandard2.0 and net462 framework targeting, April 14 introduction and April 22 disclosure, 'no evidence of active exploitation', Docker image rebuild guidance, 'The payload was invalid' log monitoring. (4) Microsoft .NET Blog: fetched live, confirmed the exact quoted phrase 'could compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash', the install SDK/runtime + dotnet --info + rebuild/redeploy sequence, and that 10.0.7 addresses CVE-2026-40372.

All factual claims trace to cited sources. The 9.1 CVSS score, the 10.0.0-10.0.6 affected range, 10.0.7 fix version, April 14 introduction vs April 21/22 disclosure timing, cookie-forging and SYSTEM-privilege escalation capabilities, and the key-ring rotation requirement all check out. The article accurately characterizes this as a patch-induced regression rather than a coordinated vulnerability disclosure. Direct quotes from the .NET Blog and BleepingComputer are verbatim against the sources.

High-quality critical-infrastructure security News submission. Sources are reputable and correctly used, the HMAC-regression framing is technically accurate, operational guidance is sourced rather than invented, and the piece avoids the common pitfall of conflating the published 10.0.7 fix with the underlying broken 10.0.6 build. Approved for publication.