Microsoft Releases Emergency Patch for Critical .NET Privilege Escalation Flaw (CVE-2026-40372)
Microsoft has issued an out-of-band security update to address a severe elevation of privilege vulnerability in the .NET framework, tracked as CVE-2026-40372. The flaw emerged as a regression in .NET 10.0.6, introduced during a routine Patch Tuesday update, and was later identified as a critical security risk after developers reported widespread decryption failures.
The vulnerability stems from a cryptographic flaw in the Microsoft.AspNetCore.DataProtection NuGet package, where the managed authenticated encryptor incorrectly processed its Hash-based Message Authentication Code (HMAC). By calculating validation tags using the wrong payload bytes and discarding the resulting hash, the flaw compromises data integrity, allowing attackers to manipulate payloads and escalate privileges without triggering authentication alerts.
The issue affects .NET 10 deployments running versions 10.0.0 through 10.0.6, including applications deployed in containers using unpatched base images. Organizations relying on ASP.NET Core Data Protection for securing sensitive data are particularly at risk.
To remediate, development teams must:
- Install .NET 10.0.7 SDK or Runtime from Microsoft’s official portal.
- Update the Microsoft.AspNetCore.DataProtection dependency to version 10.0.7 in project configurations.
- Rebuild and redeploy applications using fresh container images or installation packages.
Microsoft has urged teams to verify the update via dotnet --info and report any stability issues through the .NET release feedback repository. The out-of-band patch underscores the urgency of addressing the flaw to prevent potential privilege escalation attacks.
Source: https://gbhackers.com/microsoft-issues-emergency-net-10-0-7-update/
Microsoft cybersecurity rating report: https://www.rankiteo.com/company/microsoft
"id": "MIC1776839097",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Organizations relying on '
'ASP.NET Core Data Protection '
'for securing sensitive data',
'industry': 'Software',
'name': 'Microsoft',
'type': 'Technology Company'}],
'attack_vector': 'Cryptographic Flaw',
'data_breach': {'data_encryption': 'Compromised due to HMAC processing flaw',
'sensitivity_of_data': 'Sensitive data secured by ASP.NET '
'Core Data Protection'},
'description': 'Microsoft has issued an out-of-band security update to '
'address a severe elevation of privilege vulnerability in the '
'.NET framework, tracked as CVE-2026-40372. The flaw emerged '
'as a regression in .NET 10.0.6, introduced during a routine '
'Patch Tuesday update, and was later identified as a critical '
'security risk after developers reported widespread decryption '
'failures. The vulnerability stems from a cryptographic flaw '
'in the Microsoft.AspNetCore.DataProtection NuGet package, '
'where the managed authenticated encryptor incorrectly '
'processed its Hash-based Message Authentication Code (HMAC). '
'By calculating validation tags using the wrong payload bytes '
'and discarding the resulting hash, the flaw compromises data '
'integrity, allowing attackers to manipulate payloads and '
'escalate privileges without triggering authentication alerts.',
'impact': {'systems_affected': '.NET 10 deployments running versions 10.0.0 '
'through 10.0.6, including applications '
'deployed in containers using unpatched base '
'images'},
'post_incident_analysis': {'corrective_actions': 'Patch regression in .NET '
'10.0.6, release .NET 10.0.7 '
'with fixes',
'root_causes': 'Cryptographic flaw in '
'Microsoft.AspNetCore.DataProtection '
'NuGet package (HMAC processing '
'error)'},
'recommendations': 'Update to .NET 10.0.7 SDK or Runtime, update '
'Microsoft.AspNetCore.DataProtection dependency to version '
'10.0.7, rebuild and redeploy applications, verify updates '
'via `dotnet --info`',
'references': [{'source': 'Microsoft Security Update'}],
'response': {'containment_measures': 'Install .NET 10.0.7 SDK or Runtime, '
'update '
'Microsoft.AspNetCore.DataProtection '
'dependency to version 10.0.7, rebuild '
'and redeploy applications using fresh '
'container images or installation '
'packages',
'recovery_measures': 'Verify the update via `dotnet --info` and '
'report any stability issues through the '
'.NET release feedback repository',
'remediation_measures': 'Install .NET 10.0.7 SDK or Runtime, '
'update '
'Microsoft.AspNetCore.DataProtection '
'dependency to version 10.0.7, rebuild '
'and redeploy applications using fresh '
'container images or installation '
'packages'},
'title': 'Microsoft Releases Emergency Patch for Critical .NET Privilege '
'Escalation Flaw (CVE-2026-40372)',
'type': 'Privilege Escalation',
'vulnerability_exploited': 'CVE-2026-40372'}