Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

Ravie LakshmananApr 22, 2026Vulnerability / Cryptography

Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges.

The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It’s rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw.

“Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network,” Microsoft said in a Tuesday advisory. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”

The tech giant said an attacker could abuse the vulnerability to disclose files and modify data, but emphasized that successful exploitation hinges on three prerequisites –

• The application uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet (either directly or through a package that depends on it, such as Microsoft.AspNetCore.DataProtection.StackExchangeRedis).
• The NuGet copy of the library was actually loaded at runtime.
• The application runs on Linux, macOS, or another non-Windows operating system.

The vulnerability has been addressed by Microsoft in ASP.NET Core version 10.0.7.

“A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases,” Microsoft explained in its release notes.

In such scenarios, an attacker could forge payloads that pass DataProtection’s authenticity checks, as wellas decrypt previously-protected payloads in authentication cookies, antiforgery tokens, and others.

“If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves,” it added. “Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.”