CVE-2026-40372 Microsoft CVE debrief

Who should care

Users of ASP.NET Core, particularly those who have not updated to a patched version, should be aware of this critical vulnerability. An unauthorized attacker could exploit this vulnerability to elevate privileges over a network. Microsoft has provided guidance on mitigating this vulnerability.

Technical summary

The vulnerability is caused by improper verification of cryptographic signatures in ASP.NET Core. This allows an unauthorized attacker to elevate privileges over a network. The vulnerability has been assigned a CVSS score of 9.1 and is considered critical. The CVSS vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. The weakness associated with this vulnerability is CWE-347.

Defensive priority

High priority should be given to patching or mitigating this vulnerability, as it allows for privilege escalation over a network. Microsoft has provided a vendor advisory that should be reviewed and implemented.

Recommended defensive actions

• Review and apply the vendor advisory provided by Microsoft.
• Ensure that ASP.NET Core is updated to a patched version.
• Implement compensating controls, such as monitoring and exception tracking, if patching is not immediately feasible.
• Review defender inventory and perform necessary checks to identify potential vulnerabilities.
• Consider implementing additional security measures, such as network segmentation and access controls.

Evidence notes

The source item for this vulnerability is from the NVD, which provides detailed information about the vulnerability, including its CVSS score, CVSS vector, and weaknesses. The vendor, Microsoft, has provided a mitigation or vendor reference for this vulnerability. Additional references are provided by Red Hat.

Official resources