CVE-2026-40372 – ASP.NET Core Elevation of Privilege Vulnerability

This vulnerability in ASP.NET Core arises from improper verification of cryptographic signatures within the Data Protection component. Under specific conditions—particularly in non-Windows environments using affected package versions—an attacker can craft malicious payloads that bypass integrity checks. This allows unauthorized privilege escalation over the network without requiring authentication or user interaction, potentially granting SYSTEM-level access and enabling sensitive data exposure or tampering.

CVSS Score: 9.1

SEVERITY: Critical

THREAT: This flaw undermines one of the most fundamental security guarantees—data integrity. If attackers can forge trusted payloads, they can impersonate users, escalate privileges, and manipulate application behavior without detection. The risk is especially severe because exploitation requires no prior access and can be executed remotely.

EXPLOITS:
No public exploits or proof-of-concept code are currently confirmed. The vulnerability is not publicly disclosed as exploited, and exploitation is considered less likely at this stage. However, the simplicity of the attack vector and lack of required privileges increase the likelihood of future weaponization.

TECHNICAL SUMMARY:
The vulnerability is caused by improper verification of cryptographic signatures (CWE-347) in the ASP.NET Core Data Protection library, specifically in versions 10.0.0 through 10.0.6. A flaw in the managed cryptographic implementation results in incorrect validation of protected payloads, allowing tampered or forged data to be treated as valid. This affects authentication tokens, cookies, and other protected data structures. The issue primarily impacts applications running on Linux, macOS, or non-Windows systems where managed cryptography is used. Windows systems using default CNG-based encryption are not affected unless explicitly configured to use managed algorithms.

EXPLOITABILITY:
Affected systems include ASP.NET Core applications using Microsoft.AspNetCore.DataProtection versions 10.0.0–10.0.6, particularly in self-contained deployments or where the NuGet package overrides the shared framework. Exploitation involves sending specially crafted payloads to the application to bypass signature validation and gain elevated privileges.

BUSINESS IMPACT:
This vulnerability can lead to full compromise of application trust boundaries. Attackers may gain SYSTEM-level privileges, access sensitive data, modify critical records, and generate valid authentication artifacts that persist beyond remediation. This creates risks of long-term persistence, data breaches, regulatory violations, and reputational damage.

WORKAROUND:
If patching is not immediately possible, avoid using affected Data Protection package versions, ensure applications rely on the shared framework where safe, restrict exposure of vulnerable services, and monitor logs for anomalies such as repeated invalid payload errors. Transitioning to unaffected environments or configurations can reduce risk temporarily.

URGENCY:
The combination of network-based exploitation, no authentication requirement, and high impact to confidentiality and integrity makes this vulnerability extremely dangerous. Even though exploitation is not yet observed, the conditions are ideal for rapid attacker adoption. Immediate patching, combined with validation of runtime binaries and key rotation, is critical to prevent both initial compromise and post-patch persistence.