5 min read
By: RedLegg's Cyber Threat Intelligence Team
About:
CVE-2026-40372 is a critical elevation of privilege vulnerability in ASP.NET Core Data Protection caused by improper verification of cryptographic signatures.
An attacker can exploit this vulnerability over the network without authentication by manipulating cryptographic operations. Successful exploitation may allow forging of authentication cookies and decryption of protected application data, potentially leading to unauthorized access and compromise of application sessions.
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
VULNERABILITIES
Elevation of Privilege Vulnerability in ASP NET Core Data Protection
Identifier: CVE-2026-40372
CVSS Score: 9.1 (Critical, CVSS v3.1)
PoC or Exploitation:
There are no confirmed reports of active exploitation in the wild and no validated public proof-of-concept exploit code.
Update/ Patch:
Microsoft has released a fix for this vulnerability.
Affected versions include:
Microsoft.AspNetCore.DataProtection 10.0.0 through 10.0.6
Fixed versions include:
Microsoft.AspNetCore.DataProtection 10.0.7
Microsoft advisory and patch guidance:
Description:
CVE-2026-40372 is an elevation of privilege vulnerability in ASP.NET Core Data Protection caused by improper verification of cryptographic signatures.
An attacker can exploit this vulnerability over a network without authentication by manipulating cryptographic operations. Successful exploitation may allow forging of authentication cookies and decryption of protected application data.
Mitigation Recommendation:
Immediately upgrade Microsoft.AspNetCore.DataProtection to version 10.0.7.
Identify and remediate any applications using affected package versions.
Prioritize patching for internet-facing applications and systems handling authentication.
Monitor authentication logs for suspicious login behavior or abnormal session activity.
