ASP.NET Core CVE-2026-40372: Forged Cookie Threat to SAMA Banks

Microsoft has issued an out-of-band emergency security update for CVE-2026-40372, a CVSS 9.1 vulnerability in the ASP.NET Core Data Protection stack that allows unauthenticated attackers to forge authentication cookies and elevate privileges to SYSTEM over the network. For SAMA-regulated Saudi banks running .NET-based digital channels, this is not a routine Patch Tuesday item — it is a same-day priority that touches session integrity, IAM, and SAMA CSCC obligations all at once.

What CVE-2026-40372 Actually Breaks

The flaw lives inside Microsoft.AspNetCore.DataProtection, the framework component responsible for protecting authentication cookies, antiforgery tokens, OAuth state, and other signed artifacts in ASP.NET Core applications. According to Microsoft's advisory, a regression introduced in versions 10.0.0 through 10.0.6 caused the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload. The cryptographic signature still appeared valid to the framework, but it no longer bound the actual payload — meaning an attacker could craft a forged cookie that the application would accept as legitimate.

The result is a pre-authentication elevation of privilege: with knowledge of the misconfigured key material window, an unauthorized attacker can mint cookies that authenticate as a privileged identity, frequently leading to SYSTEM-level execution on the host running the .NET application pool. Microsoft's senior program manager Rahul Bhandari urged all customers to upgrade to Microsoft.AspNetCore.DataProtection 10.0.7 immediately.

Why Patching Alone Is Not Enough

Bank security teams must internalize one critical detail: tokens issued during the vulnerable window remain valid after the upgrade to 10.0.7 unless the Data Protection key ring is rotated. A bank that patches binaries but leaves its existing key ring intact is still exposed to forgeries the attacker may have pre-computed. The proper response is a four-step sequence — inventory all .NET 10 services, patch the package, rotate the key ring (and persist the new keys to a hardened store such as Azure Key Vault, HashiCorp Vault, or HSM-backed storage), and finally invalidate active sessions to force re-authentication.

Banks should also hunt backwards. Any signed artifact issued during the regression window — refresh tokens, password reset links, single-use payment confirmation tokens — should be treated as potentially forgeable and reissued. Reviewing IIS, Kestrel, and reverse-proxy logs for unexpected privileged access patterns since the package was deployed is a baseline minimum.

Impact on Saudi Financial Institutions

The SAMA Cyber Security Framework (CSCC) places explicit obligations on member organizations that map directly to this vulnerability. Domain 3.3.5 (Cryptography) requires sound key-management lifecycle controls — exactly what a key-ring rotation exercise satisfies. Domain 3.3.10 (Identity and Access Management) requires the integrity of authentication mechanisms, which a forged-cookie flaw directly undermines. Domain 3.3.14 (Cyber Security Event Management) requires detection of anomalous privileged sessions, the only behavioral signal a defender will have if the attacker already cashed in their forged cookies.

Beyond SAMA, the NCA Essential Cybersecurity Controls (ECC-1:2018) subdomain 2-7 on cryptography and 2-2 on identity and access management apply, as do the technology controls in NCA's NCNICC-1:2025 expansion to the Saudi private sector. For banks processing cardholder data, PCI-DSS v4.0 requirement 8.3 on multi-factor authentication and requirement 6.3 on managing security vulnerabilities both intersect with this CVE. The PDPL angle becomes relevant the moment an attacker leverages forged sessions to access customer personal data — making this a notification-eligible event under SDAIA's PDPL implementing regulations if exploitation is confirmed.

Practical Remediation Playbook

1. Inventory exposure. Run dotnet list package --vulnerable --include-transitive across every internet-facing and internal .NET 10 application — digital banking portals, mobile back-ends, internal Open Banking gateways, partner APIs, and admin consoles.
2. Patch the package. Upgrade Microsoft.AspNetCore.DataProtection to 10.0.7 in every project file, rebuild, and deploy through your change-management pipeline with SAMA-required approvals.
3. Rotate the key ring. Generate a fresh Data Protection key, persist it to a centralized HSM-backed store, and revoke all keys that were active during the regression window. Force the application to discard cached keys.
4. Invalidate sessions and tokens. Sign out all users, expire refresh tokens, and revoke any one-time-use signed artifacts — password resets, magic links, transaction confirmations — that were issued under the vulnerable keys.
5. Hunt for prior abuse. Review SIEM data for impossible travel, privileged role assumption without corresponding MFA events, and admin-tier API calls outside business hours since the affected package was first deployed.
6. Update the vendor risk register. Engage every third-party fintech, payment service provider, and SaaS vendor processing your customer data to confirm their .NET 10 estate is patched and key rings rotated — SAMA's third-party risk obligations make their exposure your exposure.
7. Document for the regulator. Capture the timeline, scope, and remediation evidence in a format suitable for SAMA's annual self-assessment and any ad-hoc inspection.

Conclusion

CVE-2026-40372 is a textbook example of why cryptographic regression bugs deserve disproportionate attention from financial-sector defenders: the framework keeps working, the signatures keep validating, and the only thing that breaks is the trust boundary itself. Saudi banks that treat this as a patch-and-move-on event will leave forged-cookie footholds intact. The institutions that close the loop — patch, rotate, revoke, hunt — will satisfy SAMA, NCA, and PCI-DSS obligations simultaneously and emerge with stronger key-management hygiene than they had before the disclosure.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment that benchmarks your cryptographic controls, IAM resilience, and incident-response readiness against current regulatory expectations.