Microsoft released out-of-band updates in April to fix a critical ASP.NET Core vulnerability tracked as CVE-2026-40372, a flaw with a CVSS score of 9.1 that could let an attacker elevate privileges on affected systems.
KEY FACTS
- Severity The flaw is rated Important and scored 9.1 out of 10.0.
- Impact Successful exploitation could grant SYSTEM privileges.
- Affected setup The issue involves Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet on Linux, macOS or other non-Windows systems.
- Fix Microsoft addressed the problem in ASP.NET Core 10.0.7.
- Discovery An anonymous researcher reported the vulnerability.
The advisory said an attacker could abuse the flaw to disclose files and modify data, but exploitation depends on several conditions. The application must use Microsoft.AspNetCore.DataProtection 10.0.6, the NuGet package must load at runtime, and the software must run on a non-Windows operating system.
Microsoft said the regression affected Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6. In some cases, the managed authenticated encryptor computed its HMAC validation tag over the wrong bytes of the payload and then discarded the computed hash.
That behavior could let an attacker forge payloads that pass DataProtection authenticity checks and decrypt protected content such as authentication cookies and antiforgery tokens. The company also warned that tokens issued during a vulnerable period may remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.
WHY IT MATTERS
The flaw affects a security component used to protect application data and login-related tokens. Systems that meet the stated conditions may need both the patch and key rotation to fully reduce risk.