Microsoft released out-of-band updates to fix a critical ASP.NET Core vulnerability, CVE-2026-40372, that can allow an attacker to escalate privileges to SYSTEM. The flaw was caused by a regression in Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 on non-Windows systems and is fixed in ASP.NET Core 10.0.7; tokens issued during the vulnerable window remain valid unless the DataProtection key ring is rotated. #CVE-2026-40372 #ASPNetCore
Keypoints
- Microsoft released out-of-band updates to mitigate CVE-2026-40372.
- The vulnerability resulted from a regression in Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 that computed HMAC over the wrong bytes.
- An attacker who successfully exploited the flaw could gain SYSTEM privileges, disclose files, and modify data.
- Exploitation requires the NuGet DataProtection library be loaded at runtime and the application to run on Linux, macOS, or another non-Windows OS.
- Upgrade to ASP.NET Core 10.0.7 and rotate the DataProtection key ring to invalidate tokens issued during the vulnerable period.
Read More: https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html