MICROSOFT has released out-of-band updates for ASP[.]NET Core to fix a privilege-escalation vulnerability tracked as CVE-2026-40372, which Microsoft says could allow an attacker to gain SYSTEM privileges over a network. The flaw has a CVSS score of 9.1 out of 10.0 and is rated Important in severity; an anonymous researcher is credited with discovering and reporting it.
According to Microsoft in a Tuesday advisory, the vulnerability stems from improper verification of the cryptographic signature in ASP[.]NET Core, and exploitation could enable an attacker to disclose files and modify data, depending on three prerequisites: the application uses Microsoft.AspNetCore[.]DataProtection 10.0.6 from NuGet (directly or via a dependent package), the NuGet copy is loaded at runtime, and the application runs on Linux, macOS, or another non-Windows operating system.
The issue has been addressed in ASP[.]NET Core version 10.0.7. Microsoft explains that a regression in the DataProtection 10.0.0–10.0.6 NuGet packages caused the authenticated encryptor to operate on the wrong payload bytes, potentially allowing forged payloads to pass authenticity checks or decrypt previously protected data.