Improper Verification of Cryptographic Signature in ASP.NET Core - CVE-2026-40372
Published: April 22, 2026
Vulnerability identifier: #VU126862
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-40372
CWE-ID: CWE-347
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Microsoft
Affected software:
ASP.NET Core
ASP.NET Core
Detailed vulnerability description
The vulnerability allows a remote attacker to elevate privileges.
The vulnerability exists due to improper verification of cryptographic signature in Microsoft.AspNetCore.DataProtection when processing cryptographically protected payloads. A remote attacker can send specially crafted data to elevate privileges.
Successful exploitation could result in SYSTEM privileges. The issue affects deployments where the NuGet copy of the library is loaded at runtime, including non-Windows deployments using the vulnerable code path and certain configurations using managed algorithms.
How to mitigate CVE-2026-40372
Install security update from vendor's website.