Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

2026-04-22

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

Microsoft releases critical security patch for ASP.NET Core vulnerability CVE-2026-40372 that allows privilege escalation through improper cryptographic signature verification.

•CVE-2026-40372 has CVSS score of 9.1 and allows attackers to gain SYSTEM privileges over a network
•Vulnerability affects Microsoft.AspNetCore.DataProtection versions 10.0.6 and below on non-Windows systems (Linux, macOS)
•Root cause is HMAC validation tag computed over wrong payload bytes, allowing forged payloads to bypass authenticity checks
•Attackers can decrypt previously-protected data in authentication cookies, antiforgery tokens, and session cookies
•Fixed in version 10.0.7; DataProtection key rings must be rotated to invalidate potentially compromised tokens

Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

Building a safe, effective sandbox to enable Codex on Windows

Mitigate credential exposure in Windows environments with Boundary and Vault

Azerbaijani Energy Firm Hit by Repeated Microsoft Exchange Exploitation

[Webinar] Why Your AppSec Tools Miss the "Lethal Path" (and How to Fix It)