Microsoft Patches Critical Vulnerability in ASP.NET Core

Critical Privilege Escalation Flaw Patched in ASP.NET Core

Microsoft has issued out-of-band security updates to address a severe privilege escalation vulnerability in ASP.NET Core, affecting the Data Protection cryptographic APIs.

• The flaw, designated as CVE-2026-40372, allows unauthenticated attackers to gain SYSTEM privileges on compromised systems by forging authentication cookies.
• The vulnerability stems from a regression in specific versions of the Microsoft.AspNetCore.DataProtection NuGet packages, causing the managed authenticated encryptor to miscalculate HMAC validation tags.
• This enables attackers to craft payloads that bypass DataProtection’s authenticity checks, ultimately permitting them to decrypt sensitive data stored in authentication cookies and antiforgery tokens.

Consequences of Exploitation

Successful exploitation could lead to unauthorized access to protected files, modification of sensitive data, and potentially issuing legitimate, signed tokens to attackers who authenticate as a privileged user within the vulnerable time frame.

Mitigation Recommendations

• Update the Microsoft.AspNetCore.DataProtection package to version 10.0.7.
• Redeploy affected applications to ensure the patch is applied.

Timeline

• April 23, 2026: Microsoft releases out-of-band security updates addressing the privilege escalation vulnerability.
• CVE-2026-40372: Designated identifier for the privilege escalation flaw.
• Bleeping Computer: Initially reported the vulnerability.

Affected Components

• ASP.NET Core Data Protection cryptographic APIs
• Microsoft.AspNetCore.DataProtection NuGet packages

Recommendations

• Update the Microsoft.AspNetCore.DataProtection package to version 10.0.7.
• Redeploy affected applications to ensure the patch is applied.

About Author

Vaibhav

See author's posts