Microsoft Out-of-Band Updates Fixed Critical ASP.NET Core Privilege Escalation Flaw

The newly disclosed CVE‑2026‑40372 targets the ASP.NET Core data‑protection subsystem, where an incorrect HMAC validation could bypass cryptographic signatures. By forging or decrypting protected payloads such as cookies and anti‑forgery tokens, an attacker can obtain a valid session and then leverage the vulnerability to gain SYSTEM‑level privileges. The CVSS rating of 9.1 reflects the high impact on confidentiality and integrity, even though the flaw does not directly affect availability.

ASP.NET Core is a cornerstone of modern web services, especially in cloud‑native environments that favor Linux containers. Versions 10.0.0 through 10.0.6 are widely deployed across enterprises, and the exploit requires the vulnerable DataProtection package to be loaded at runtime on a non‑Windows OS. This narrows the attack surface but still threatens a large segment of the .NET ecosystem, including SaaS platforms and internal APIs. Microsoft’s fix arrives in version 10.0.7, yet legacy tokens remain usable until administrators rotate the DataProtection key ring, a step often overlooked during routine patch cycles.

The rapid, out‑of‑band response underscores the growing expectation for vendors to address zero‑day flaws swiftly. Organizations should treat this advisory as a priority, applying the 10.0.7 update across all environments and performing key‑ring rotation to invalidate stale tokens. Continuous monitoring for anomalous token usage, combined with a robust vulnerability management program, will reduce the window of exposure. As supply‑chain attacks become more prevalent, the incident also highlights the importance of scrutinizing third‑party NuGet packages and maintaining up‑to‑date dependency inventories.