Back

Microsoft Issues Urgent .NET Update to Address Critical Security Flaw

Severity: High (Score: 72.0)

Sources: Cybersecuritynews, Neowin

Summary

On April 21, 2026, Microsoft published CVE-2026-40372, a severe vulnerability in the .NET platform with a severity score of 9.1. This flaw allows attackers to exploit an elevation of privilege (EoP) by forging authentication cookies and decrypting secure payloads. The vulnerability affects all non-Windows operating systems running .NET version 10.0.6, particularly those on Linux and macOS. Following reports of decryption failures after the Patch Tuesday update, Microsoft released an emergency out-of-band update, .NET 10.0.7, on April 22, 2026, to address both the regression and the security issue. Users are urged to install the update immediately to prevent potential exploitation that could lead to SYSTEM privileges, enabling unauthorized access to files and data. The situation underscores the critical nature of timely updates in mitigating supply chain risks associated with software vulnerabilities. Key Points: • CVE-2026-40372 is a critical vulnerability with a severity score of 9.1. • The flaw affects non-Windows systems running .NET 10.0.6, particularly Linux and macOS. • Microsoft released an emergency update, .NET 10.0.7, to address the vulnerability.

Key Entities

  • CVE-2026-40372 (cve)
  • CWE-269 - Improper Privilege Management (cwe)
  • T1068 - Exploitation for Privilege Escalation (mitre_attack)
  • ASP.NET Core (platform)
  • Linux (platform)
  • MacOS (platform)
  • .NET (platform)
  • NuGet (platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed