Microsoft has launched out-of-band updates to deal with a security vulnerability in ASP.NET Core that would enable an attacker to escalate privileges.
The vulnerability, tracked as CVE-2026-40372, carries a CVSS rating of 9.1 out of 10.0. It is rated Necessary in severity. An nameless researcher has been credited with discovering and reporting the flaw.
“Improper verification of cryptographic signature in ASP.NET Core permits an unauthorized attacker to raise privileges over a community,” Microsoft mentioned in a Tuesday advisory. “An attacker who efficiently exploited this vulnerability may achieve SYSTEM privileges.”
The tech big mentioned an attacker may abuse the vulnerability to reveal information and modify information, however emphasised that profitable exploitation hinges on three stipulations –
- The applying makes use of Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet (both immediately or by means of a bundle that is determined by it, similar to Microsoft.AspNetCore.DataProtection.StackExchangeRedis).
- The NuGet copy of the library was truly loaded at runtime.
- The applying runs on Linux, macOS, or one other non-Home windows working system.
The vulnerability has been addressed by Microsoft in ASP.NET Core model 10.0.7.
“A regression within the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages trigger the managed authenticated encryptor to compute its HMAC validation tag over the fallacious bytes of the payload after which discard the computed hash in some circumstances,” Microsoft defined in its launch notes.
In such eventualities, an attacker may forge payloads that cross DataProtection’s authenticity checks, as wellas decrypt previously-protected payloads in authentication cookies, antiforgery tokens, and others.
“If an attacker used cast payloads to authenticate as a privileged person in the course of the susceptible window, they might have induced the appliance to subject legitimately-signed tokens (session refresh, API key, password reset hyperlink, and so forth.) to themselves,” it added. “These tokens stay legitimate after upgrading to 10.0.7 except the DataProtection key ring is rotated.”
