IT-Connect » Tech News » Microsoft Releases Out-of-Band Patch for Critical ASP.NET Flaw: CVE-2026-40372

Cracked purple ASP.NET Core logo with a red CVE-2026-40372 badge in a data center server room, highlighting a security vulnerability.
Tech News

Microsoft Releases Out-of-Band Patch for Critical ASP.NET Flaw: CVE-2026-40372

Florian Burnel 0 Comments

Microsoft has released ASP .NET version 10.0.7 as an out-of-band security update to patch a critical security flaw. What are the risks associated with CVE-2026-40372? Here is what we know.

A Critical Flaw in ASP.NET Core Cryptographic APIs

The issue lies within ASP.NET Core's Data Protection cryptographic APIs. This flaw, tracked as CVE-2026-40372, could allow an unauthenticated attacker to gain SYSTEM privileges on the affected machine. By exploiting this vulnerability, an attacker can forge authentication cookies.

"If an attacker used forged payloads to authenticate as a privileged user during the vulnerability window, they may have caused the application to issue legitimately signed tokens (session refresh, API key, password reset link, etc.).", the security bulletin states.

Microsoft explains that the root cause of the security issue is tied to a regression introduced starting with ASP .NET Core 10.0.0. This weakness corresponds to an incorrect cryptographic signature validation in ASP.NET Core.

Redmond also clarifies that Windows is not directly affected, but rather applications built on this framework. "On Windows, DataProtection uses CNG-based encryption modules by default, which do not contain this bug. Versions 8.0.x and 9.0.x are not affected. The faulty code path was introduced during development of version 10.0 and was never backported.", we can read.

What is unusual is how this security flaw was discovered: Microsoft identified the issue after several users reported decryption failures in their applications. That is likely why the attribution on the MSRC site is Anonymous.

The Security Patch: 10.0.7

ASP .NET version 10.0.6 was released a few days ago, during April 2026 Patch Tuesday. However, if you installed that update, you need to switch to version 10.0.7 instead. At the moment, this is the only version that includes a security fix for CVE-2026-40372.

If you are using an application that relies on ASP.NET Core, and especially Data Protection, patch it as soon as possible. You can download the latest version here:

author avatar
Florian Burnel Co-founder of IT-Connect
Systems and network engineer, co-founder of IT-Connect and Microsoft MVP "Cloud and Datacenter Management". I'd like to share my experience and discoveries through my articles. I'm a generalist with a particular interest in Microsoft solutions and scripting. Enjoy your reading.
See Full Bio
social network icon social network icon social network icon
Share on X Share on Facebook Share on Linkedin Send by e-mail

You May Also Like

Ubuntu branding banner with orange logo, the word 'Ubuntu', and an orange pill badge reading 'Intelligence Artificielle' on a purple–orange gradient background.

Ubuntu Is Set to Get AI in 2026: Here’s What We Know

Florian Burnel 0
Samsung Galaxy phone on a desk with a red warning triangle, representing a security alert, surrounded by floating app icons and Microsoft 365 logos.

Samsung April 2026 Update Breaks Microsoft 365 and Authenticator Apps

Florian Burnel 0
Pack2TheRoot logo over a laptop with a cracked-screen design and a Tux penguin sticker in a tech workspace

Pack2TheRoot: 12-Year-Old Linux PackageKit Flaw Can Lead to Root Access

Florian Burnel 0

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.