Updated
Updated · The Hacker News · Apr 22
Microsoft Issues Urgent Patch for Critical ASP.NET Core Security Flaw
Updated
Updated · The Hacker News · Apr 22

Microsoft Issues Urgent Patch for Critical ASP.NET Core Security Flaw

13 articles · Updated · The Hacker News · Apr 22
  • Microsoft has released emergency patches to fix a critical privilege escalation vulnerability in ASP.NET Core, tracked as CVE-2026-40372.
  • The flaw, rated 9.1 CVSS, affects Data Protection libraries on non-Windows systems and could allow attackers to forge authentication tokens and gain SYSTEM privileges.
  • Developers must update to version 10.0.7, rebuild applications, rotate Data Protection keys, and expire existing tokens to fully mitigate the risk.
With two critical flaws in six months, is ASP.NET Core's security reliable enough?
Why does this critical .NET vulnerability primarily affect Linux and macOS users?
Microsoft's patch isn't enough. Are your applications still vulnerable even after updating?
How did a critical security regression slip past Microsoft into an official software update?
Is this bug a simple mistake or a sign of deeper security issues at Microsoft?
Could attackers who stole tokens before the patch still access your systems today?

Related Stories

The Hacker NewsApr 22
Ars TechnicaApr 22
BleepingComputerApr 22
CSO OnlineApr 22
The420.inApr 22
Security AffairsApr 22
Times NowApr 16
eSecurity PlanetApr 22
Cyber PressApr 22
windowsreport.comApr 22
GBHackersApr 22
CybersecurityNewsApr 22
NeowinApr 22