Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege

Executive Summary

Microsoft released out-of-band security updates on April 24, 2026 to address CVE-2026-40372, a critical privilege escalation vulnerability in ASP.NET Core. The flaw, which carries a CVSS score of 9.1, stems from improper verification of cryptographic signatures during certain authentication operations, according to Microsoft's advisory. An anonymous researcher reported the vulnerability. All supported versions of ASP.NET Core and .NET are affected. Microsoft has not observed active exploitation in the wild as of the advisory date, but the severity rating and the out-of-band release cadence indicate elevated risk for enterprise environments hosting ASP.NET Core applications.

Technical Analysis

CVE-2026-40372 is an improper cryptographic verification vulnerability in ASP.NET Core's authentication middleware. The flaw allows an authenticated attacker to escalate privileges by crafting a specially formed authentication token that bypasses signature validation checks, The Hacker News reported. The CVSS 9.1 rating reflects the low attack complexity (AV:N/AC:L) and the high impact on confidentiality, integrity, and availability (C:I:A all rated High). No user interaction is required, and the attack vector is network-based, meaning an attacker can exploit the flaw remotely without prior access to the target system beyond a valid session.

The vulnerability affects all supported versions of ASP.NET Core, including .NET 6, .NET 7, .NET 8, and .NET 9. Microsoft's advisory does not specify which specific authentication flows are impacted, but the improper verification of cryptographic signatures points to flaws in token validation logic, likely related to JWT or similar bearer token handling. The out-of-band release — outside Microsoft's regular Patch Tuesday cycle — signals that the company assessed the risk as warranting immediate action rather than waiting for the next scheduled update.

Microsoft credited an anonymous researcher for discovering and reporting CVE-2026-40372. No further technical details, proof-of-concept code, or exploitation vectors have been publicly disclosed as of this writing, which is consistent with responsible disclosure practices.

Mitigations & Recommendations

Microsoft has released updated packages for all affected .NET versions. System administrators and developers should immediately apply the out-of-band updates to any production or staging environments running ASP.NET Core applications. The updates are available through the standard .NET update channels, including Windows Update, Microsoft Update Catalog, and NuGet package manager.

For environments where immediate patching is not feasible, Microsoft recommends reviewing authentication token validation configurations and applying network-level access controls to limit exposure of ASP.NET Core endpoints to trusted networks only. Organizations should also monitor authentication logs for anomalous token usage patterns, such as repeated failed validation attempts or tokens with unexpected claims. Given the remote, low-complexity nature of the exploit, delaying patching beyond a few days significantly increases risk of compromise.