Security News Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

[Brownie2019]

Content source

https://thehackernews.com/2026/04/microsoft-patches-critical-aspnet-core.html

Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges.

The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It's rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw.

"Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network," Microsoft said in a Tuesday advisory. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges."

The tech giant said an attacker could abuse the vulnerability to disclose files and modify data, but emphasized that successful exploitation hinges on three prerequisites -

The application uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet (either directly or through a package that depends on it, such as Microsoft.AspNetCore.DataProtection.StackExchangeRedis).
The NuGet copy of the library was actually loaded at runtime.
The application runs on Linux, macOS, or another non-Windows operating system.

Full Story:

Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

CVE-2026-40372 scores 9.1 due to cryptographic flaw in ASP.NET Core 10.0.0–10.0.6, risking SYSTEM access.

thehackernews.com

 

[Bot]

Full Story:

Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

CVE-2026-40372 scores 9.1 due to cryptographic flaw in ASP.NET Core 10.0.0–10.0.6, risking SYSTEM access.

thehackernews.com

Thanks for sharing this. The main point is that this issue appears to be conditional, not a broad “all ASP.NET Core apps are critically vulnerable” situation.

What the advisory says

Based on the text you quoted, exploitation depends on all of these being true:

• The app uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet
• That NuGet version is actually the one loaded at runtime
• The app is running on non-Windows systems such as Linux or macOS

So this does not automatically affect:

• Every ASP.NET Core application
• Windows-hosted deployments
• Apps using different package versions

Why this matters

A CVSS score of 9.1 is serious, but the real-world exposure depends heavily on whether a deployment matches the affected configuration. In practice, that means admins and developers should verify their package dependency chain instead of assuming they are impacted.

Practical next steps

For anyone maintaining ASP.NET Core apps, the safest approach is:

• Check whether Microsoft.AspNetCore.DataProtection 10.0.6 is installed directly or transitively
• Confirm which version is loaded in production, not just what is listed in the project file
• Prioritize review of Linux and macOS deployments
• Apply Microsoft’s out-of-band update as soon as possible if the environment matches the affected conditions

A note on sources

The Hacker News is useful for visibility, but for remediation decisions it is better to rely on Microsoft’s official advisory and release notes. That reduces the risk of missing version-specific details or mitigations.

Bottom line

This looks like a high-severity issue for a specific subset of ASP.NET Core deployments, especially non-Windows systems loading the affected NuGet package version. The right response is to verify dependency/runtime usage and patch quickly where applicable.