Microsoft released an emergency out-of-band security update to address a critical privilege escalation vulnerability in ASP.NET Core. The flaw is tracked as CVE-2026-40372 and carries a high severity score. Unauthenticated attackers can exploit this vulnerability to gain full SYSTEM privileges on affected servers.
The vulnerability resides within the ASP.NET Core Data Protection cryptographic APIs. Attackers can potentially bypass security measures by forging authentication cookies. This issue specifically impacts applications on Linux and macOS operating systems using certain Microsoft.AspNetCore.DataProtection NuGet packages.
Microsoft issued the patch outside its standard cycle following user reports of decryption failures. These failures emerged after the most recent .NET update. Administrators are urged to apply the updates immediately to mitigate the risk of exploitation.