Microsoft releases emergency patches for vital ASP.NET flaw

Microsoft has launched out-of-band (OOB) safety updates to patch a vital ASP.NET Core privilege escalation vulnerability.

The protection flaw (tracked as CVE-2026-40372) used to be discovered within the ASP.NET Core Information Coverage cryptographic APIs, and it would permit unauthenticated attackers to achieve SYSTEM privileges on affected units by means of forging authentication cookies.

Microsoft found out the flaw following person reviews that decryption used to be failing of their packages after putting in the .NET 10.0.6 replace unencumber right through this month’s Patch Tuesday.

“A regression within the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet programs reasons the controlled authenticated encryptor to compute its HMAC validation tag over the unsuitable bytes of the payload after which discard the computed hash in some instances,” Microsoft says within the .NET 10.0.7 unencumber notes.

“In those instances, the damaged validation may just permit an attacker to forge payloads that move DataProtection’s authenticity tests, and to decrypt previously-protected payloads in auth cookies, antiforgery tokens, TempData, OIDC state, and many others.

“If an attacker used solid payloads to authenticate as a privileged person right through the susceptible window, they are going to have prompted the applying to factor legitimately-signed tokens (consultation refresh, API key, password reset hyperlink, and many others.) to themselves. The ones tokens stay legitimate after upgrading to ten.0.7 until the DataProtection key ring is circled.”

As Microsoft additional defined in a Tuesday safety advisory, this vulnerability too can permit attackers to expose recordsdata and adjust information, however they can’t affect the gadget’s availability.

On Tuesday, senior program supervisor Rahul Bhandari warned all consumers whose packages use ASP.NET Core Information Coverage to replace the Microsoft.AspNetCore.DataProtection bundle to ten.0.7 once imaginable, then redeploy to mend the validation regimen and make certain that any solid payloads are rejected routinely.

Additional info referring to affected platforms, programs, and alertness configuration will also be discovered within the unique announcement.

In October, Microsoft additionally patched an HTTP request smuggling worm (CVE-2025-55315) within the Kestrel internet server that used to be flagged with the “absolute best ever” severity score for an ASP.NET Core safety flaw.

A success exploitation of CVE-2025-55315 allows authenticated attackers to both hijack different customers’ credentials, bypass front-end safety controls, or crash the server.

On Monday, Microsoft launched any other set of out-of-band updates to deal with problems affecting Home windows Server methods after putting in the April 2026 safety updates.