Microsoft Issues Critical Patch for ASP.NET Core DataProtection as CVE-2026-40372 Exposes Elevation of Privilege Flaw

Microsoft has released version 10.0.7 of Microsoft.AspNetCore.DataProtection, patching a critical elevation of privilege vulnerability tracked as CVE-2026-40372. The update addresses a flaw in ASP.NET Core's data protection library that could allow an attacker to escalate privileges under specific conditions. The security advisory, jointly published with the National Vulnerability Database (NVD) and linked to GitHub Advisory GHSA-9mv3-2cwr-p262, marks the patch as a direct response to a confirmed weakness in the 10.0.0 release.

The vulnerability affects applications relying on ASP.NET Core's built-in data protection APIs for encryption and key management. Organizations running affected deployments are advised to prioritize the upgrade, as elevation of privilege flaws can enable attackers to move beyond their initial access level within targeted systems. The 10.0.7 patch represents a relatively rapid response given the severity classification, suggesting the issue was either reported through responsible disclosure or identified internally before widespread exploitation.

Security teams managing .NET infrastructure should audit their dependency trees immediately. Automated dependency management tools, including Renovate, have already flagged the update with elevated confidence scores. While no active exploitation has been publicly confirmed, the nature of elevation of privilege vulnerabilities makes them attractive targets for post-exploitation chains. The discrepancy between the CVE year designation and current timelines warrants verification against official NVD records.