Microsoft releases emergency update for ASP.NET Core to fix privilege escalation vulnerability CVE-2026-40372

Microsoft has issued an out-of-band update for .NET to address CVE-2026-40372, a critical privilege escalation vulnerability in ASP.NET Core applications. The flaw, related to improper verification of cryptographic signatures, affects Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6. Exploitation is possible over the network without authentication, particularly impacting deployments on non-Windows operating systems.

Context

CVE-2026-40372 is a critical vulnerability identified in specific versions of Microsoft.AspNetCore.DataProtection, affecting versions 10.0.0 through 10.0.6. The flaw arises from improper verification of cryptographic signatures, which can be exploited remotely without authentication. This issue particularly affects deployments on non-Windows operating systems, increasing the urgency for affected users to apply the update.

Why it matters

The release of this emergency update is crucial as it addresses a significant security vulnerability that could allow attackers to escalate privileges in ASP.NET Core applications. Given the widespread use of these applications, the potential for exploitation poses a serious risk to data integrity and system security. Prompt action is necessary to protect users and organizations from potential breaches.

Implications

If left unaddressed, this vulnerability could lead to unauthorized access and control over affected systems, potentially resulting in data breaches or service disruptions. Organizations that rely on ASP.NET Core applications may face reputational damage and financial losses if they experience a security incident. The update underscores the importance of timely software maintenance and security vigilance in the tech industry.

What to watch

Organizations using the affected versions of ASP.NET Core should prioritize applying the emergency update to mitigate risks. Monitoring for any reports of exploitation attempts will be essential in the coming weeks. Additionally, users should stay informed about any further updates or patches from Microsoft that may address related vulnerabilities.