Close Menu
    What's Hot

    Oil giant BP shutters its corporate venture arm after 20 years

    Chevron and Iraq seek to bypass Strait of Hormuz with Syria pipeline

    Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

    Facebook X (Twitter) Instagram
    Trending
    • Oil giant BP shutters its corporate venture arm after 20 years
    • Chevron and Iraq seek to bypass Strait of Hormuz with Syria pipeline
    • Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories
    • This Meta study shows AI chatbots could be spreading restrictions on free expression
    • Opinion | Falling Birthrates and America’s Future
    • Republican Senator Thom Tillis Demands Todd Blanche Meet With Epstein Survivors
    • To Defend Europe, German Military Power Needs to Go It Alone
    • How the NYT Reported on Khamenei’s Funeral in Iran
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

    adminBy adminApril 22, 2026No Comments2 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananApr 22, 2026Vulnerability / Cryptography

    Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug

    Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges.

    The vulnerability, tracked as CVE-2026-40372, carries a CVSS score of 9.1 out of 10.0. It’s rated Important in severity. An anonymous researcher has been credited with discovering and reporting the flaw.

    “Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network,” Microsoft said in a Tuesday advisory. “An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.”

    The tech giant said an attacker could abuse the vulnerability to disclose files and modify data, but emphasized that successful exploitation hinges on three prerequisites –

    • The application uses Microsoft.AspNetCore.DataProtection 10.0.6 from NuGet (either directly or through a package that depends on it, such as Microsoft.AspNetCore.DataProtection.StackExchangeRedis).
    • The NuGet copy of the library was actually loaded at runtime.
    • The application runs on Linux, macOS, or another non-Windows operating system.
    Cybersecurity

    The vulnerability has been addressed by Microsoft in ASP.NET Core version 10.0.7.

    “A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages cause the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases,” Microsoft explained in its release notes.

    In such scenarios, an attacker could forge payloads that pass DataProtection’s authenticity checks, as wellas decrypt previously-protected payloads in authentication cookies, antiforgery tokens, and others.

    “If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves,” it added. “Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.”

    ASP.NET bug Core critical CVE202640372 Escalation Microsoft Patches Privilege
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleForty years of Mswati rule offer zilch to celebrate – The Mail & Guardian
    Next Article Titanium Court review: hard to explain and even harder to put down
    admin
    • Website

    Related Posts

    Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

    July 16, 2026

    n8n Token Exchange Flaw Could Let Attackers Log In as Users From Another Issuer

    July 16, 2026

    New TELEPUZ Malware Spreads via ClickFix to Steal Data and Run Commands

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Oil giant BP shutters its corporate venture arm after 20 years

    Chevron and Iraq seek to bypass Strait of Hormuz with Syria pipeline

    Game Cheat Spyware, 24-Hour Ransomware, Chrome Sync Stalking + 12 More Stories

    This Meta study shows AI chatbots could be spreading restrictions on free expression

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by