MICROSOFT released out-of-band updates to address a serious ASP[.]NET Core vulnerability tracked as CVE-2026-40372 (CVSS 9.1), with a fix in ASP[.]NET Core version 10.0.7. An attacker could exploit the flaw to gain SYSTEM-level privileges, access sensitive files and modify data, though the vulnerability cannot disrupt system availability. An anonymous researcher reported the flaw, prompting patches to reduce risk for affected systems. According to Microsoft, exploitation in the wild is currently less likely.
The advisory notes a bug in Microsoft.AspNetCore[.]DataProtection 10.0.0–10.0.6 could cause incorrect HMAC validation, potentially allowing forging or decrypting protected data and impersonating users, with tokens remaining valid after upgrading unless the DataProtection key ring is rotated.
Those tokens could be issued to the attacker if forged payloads were used to authenticate as a privileged user during the vulnerable window, the firm adds, and exploitation requires three conditions: the app uses Microsoft.AspNetCore[.]DataProtection 10.0.6 (directly or via dependencies), the NuGet version is loaded at runtime, and the application runs on a non-Windows OS such as Linux or macOS.