Tag

Cve 2026 40372

All articles tagged with #cve 2026 40372

security3 hours ago•3 min saved

Microsoft patches critical ASP.NET Core data-protection flaw to curb cookie forgery

Microsoft released out-of-band security updates for a critical ASP.NET Core Data Protection vulnerability (CVE-2026-40372) that could let unauthenticated attackers forge authentication cookies and gain SYSTEM privileges. The flaw comes from a regression in the 10.0.0–10.0.6 NuGet packages, which could cause forged payloads to bypass authenticity checks; upgrading to 10.0.7 and redeploying with a rotated DataProtection key ring fixes the issue. This follows April’s Patch Tuesday and includes additional out-of-band Windows Server fixes. No service disruption is reported, but applications using DataProtection should update promptly to prevent token forgery and data exposure.

via BleepingComputer|

#aspnet-core #cve-2026-40372 #data-protection

technology3 hours ago•1 min saved

Microsoft Releases Urgent Patch for ASP.NET Core Privilege Escalation (CVE-2026-40372)

Microsoft issued out-of-band updates to fix a critical ASP.NET Core vulnerability (CVE-2026-40372) that could let an attacker escalate to SYSTEM by forging tokens when a vulnerable DataProtection NuGet package (Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6) is loaded at runtime on non-Windows systems. The fix is in ASP.NET Core 10.0.7; exploitation requires the vulnerable package, a non-Windows OS, and the app running with the library loaded. If tokens were issued during the vulnerability window, they remain valid after upgrading until the DataProtection key ring is rotated.

via The Hacker News|

#aspnet-core #cve-2026-40372 #dataprotection