Microsoft Issues Emergency Patches for Critical ASP.NET Core Vulnerability

Microsoft Issues Emergency Patches for Critical ASP.NET Core Vulnerability

First seen 22 Apr 2026, 03:36 UTC NeowinCybersecuritynewsGbhackersBleepingcomputerSecurityaffairs.Co+9 91% similarity 72.2

Article Content

Browse articles
ThreatCluster

On April 21, 2026, Microsoft released an emergency out-of-band update, .NET 10.0.7, to address a critical privilege escalation vulnerability tracked as CVE-2026-40372. This flaw, found in the ASP.NET Core Data Protection cryptographic APIs, allows unauthenticated attackers to forge authentication cookies, potentially gaining SYSTEM privileges on affected devices. The vulnerability was discovered after users reported decryption failures following the installation of .NET 10.0.6 during Patch Tuesday. Microsoft has emphasized that all non-Windows operating systems using .NET 10.0.6 are impacted, and it is crucial for affected users to update to the latest version immediately. The flaw has a CVSS score of 9.1, indicating a severe risk of exploitation. Organizations are advised to rotate their DataProtection key rings to mitigate risks from previously issued tokens. This incident follows a previous critical vulnerability (CVE-2025-55315) patched in October 2025, highlighting ongoing security challenges in the ASP.NET framework.

Key Points: • Microsoft released .NET 10.0.7 to patch CVE-2026-40372, a critical privilege escalation vulnerability. • The flaw allows unauthenticated attackers to forge authentication cookies and gain SYSTEM privileges. • All non-Windows operating systems using .NET 10.0.6 are affected, necessitating immediate updates.

ThreatCluster AI

Timeline

2025-10-14
CVE-2025-55315 published
2025-10-17
First public PoC for CVE-2025-55315
2026-04-21
CVE-2026-40372 published
2026-04-22
Microsoft releases .NET 10.0.7 to address CVE-2026-40372

Community

Browse all →