Microsoft has released an out-of-band update to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges.
This vulnerability is tracked as CVE-2026-40372 and has a CVSS score of 9.1 out of 10.0. Severity is rated as Important. An anonymous researcher is credited with discovering and reporting this flaw.
“Inadequate validation of cryptographic signatures in ASP.NET Core could allow an unauthorized attacker to escalate privileges over the network,” Microsoft said in an advisory Tuesday. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”
The tech giant said an attacker could exploit the vulnerability to disclose files or change data, but stressed that successful exploitation depends on three prerequisites.
The application uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet, either directly or via packages that depend on it, such as Microsoft.AspNetCore.DataProtection.StackExchangeRedis. The NuGet copy of the library was actually loaded at runtime. The application runs on Linux, macOS, or other non-Windows operating systems.
This vulnerability was resolved by Microsoft in ASP.NET Core version 10.0.7.
“A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet package causes the managed authenticated cryptographic program to calculate HMAC validation tags for incorrect bytes in the payload and, in some cases, discard the calculated hash,” Microsoft explained in the release notes.
In such a scenario, an attacker could forge a payload that passes DataProtection’s authenticity checks, or decrypt a payload that was previously protected, such as with an authentication cookie or anti-forgery token.
“If an attacker used a forged payload to authenticate as a privileged user during a vulnerable period, they could have induced the application to issue legitimately signed tokens (such as session updates, API keys, password reset links, etc.) to itself,” it added. “These tokens will remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.”
Source link
