Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges.

The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It’s rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

“Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network,” Microsoft said in a Tuesday advisory. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”

The tech giant said an attacker could abuse the vulnerability to disclose files and modify data, but emphasized that successful exploitation hinges on three prerequisites –

• The application uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet (either directly or through a package that depends on it, such as Microsoft.AspNetCore.DataProtection.StackExchangeRedis).
• The NuGet copy of the library was actually loaded at runtime.
• The application runs on Linux, macOS, or another non-Windows operating system.

The vulnerability has been addressed by Microsoft in ASP.NET Core version 10.0.7.

“A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases,” Microsoft explained in its release notes.

In such scenarios, an attacker could forge payloads that pass DataProtection’s authenticity checks, as wellas decrypt previously-protected payloads in authentication cookies, antiforgery tokens, and others.

“If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves,” it added. “Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.