Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

Summary

Microsoft released out-of-band updates to fix CVE-2026-40372, a critical privilege escalation vulnerability in ASP.NET Core that allows attackers to gain SYSTEM privileges through improper cryptographic signature verification. The flaw affects Microsoft.AspNetCore.DataProtection versions 10.0.0-10.0.6 on non-Windows systems and has been resolved in version 10.0.7. Exploitation enables attackers to forge authentication payloads, decrypt protected cookies, and issue legitimately-signed tokens unless the DataProtection key ring is rotated after patching.

Full text

Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug Ravie LakshmananApr 22, 2026Vulnerability / Cryptography Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It's rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw. "Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network," Microsoft said in a Tuesday advisory. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges." The tech giant said an attacker could abuse the vulnerability to disclose files and modify data, but emphasized that successful exploitation hinges on three prerequisites - The application uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet (either directly or through a package that depends on it, such as Microsoft.AspNetCore.DataProtection.StackExchangeRedis). The NuGet copy of the library was actually loaded at runtime. The application runs on Linux, macOS, or another non-Windows operating system. The vulnerability has been addressed by Microsoft in ASP.NET Core version 10.0.7. "A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases," Microsoft explained in its release notes. In such scenarios, an attacker could forge payloads that pass DataProtection's authenticity checks, as wellas decrypt previously-protected payloads in authentication cookies, antiforgery tokens, and others. "If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves," it added. "Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cryptography, cybersecurity, linux, MacOS, Microsoft, NuGet, Patch Management, privilege escalation, Vulnerability Trending News 108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released OpenAI Launches GPT-5.4-Cyber with Expanded Access for Security Teams Microsoft Issues Patches for SharePoint Zero-Day and 168 Other New Vulnerabilities Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover n8n Webhooks Abused Since October 2025 to Deliver Malware via Phishing Emails Cisco Patches Four Critical Identity Services, Webex Flaws Enabling Code Execution Apache ActiveMQ CVE-2026-34197 Added to CISA KEV Amid Active Exploitation Three Microsoft Defender Zero-Days Actively Exploited; Two Still Unpatched Anthropic MCP Design Vulnerability Enables RCE, Threatening AI Supply Chain Vercel Breach Tied to Context AI Hack Exposes Limited Customer Credentials Why Security Leaders Are Layering Email Defense on Top of Secure Email Gateways Why Threat Intelligence Is the Missing Link in CTEM Prioritization and Validation The Hidden Security Risks of Shadow AI in Enterprises Your MTTD Looks Great. Your Post-Alert Gap Doesn't Popular Resources Discover Key AI Security Gaps CISOs Face in 2026 Fix Rising Application Security Risks Driven by AI Development Automate Alert Triage and Investigations Across Every Threat How to Identify Risky Browser Extensions in Your Organization

Indicators of Compromise

• cve — CVE-2026-40372

Entities