What Happened
A critical vulnerability in Microsoft.AspNetCore.DataProtection allowed attackers to escalate privileges to SYSTEM level on affected servers. The flaw, tracked as CVE-2026-40372 with a CVSS score of 9.1, stemmed from improper cryptographic signature verification. Applications running Microsoft.AspNetCore.DataProtection version 10.0.6 on non-Windows systems were vulnerable. Microsoft released version 10.0.7 to patch the issue.
The attack vector exploited the framework's failure to properly validate cryptographic signatures during data protection operations. If your application relies on DataProtection for encrypting cookies, authentication tokens, or sensitive payloads, a successful exploit grants an attacker the highest privilege level on your system.
Timeline
While specific incident dates aren't publicly documented for this vulnerability, the disclosure follows a pattern seen in framework-level flaws:
- Discovery phase: Vulnerability identified in cryptographic verification logic within
Microsoft.AspNetCore.DataProtection10.0.6 - Disclosure: Microsoft published CVE-2026-40372 with a critical severity rating
- Patch release: Version 10.0.7 made available
- Exposure window: Any organization running the affected version on Linux or macOS systems remained vulnerable until they applied the update
If you're running ASP.NET Core applications on non-Windows infrastructure and haven't updated from 10.0.6, you're exposed to privilege escalation attacks right now.
Which Controls Failed or Were Missing
This incident reveals three distinct control failures:
Cryptographic implementation controls: The DataProtection library failed to properly verify signatures before trusting protected data. This is a code-level security defect in Microsoft's framework. Your application inherited the vulnerability simply by using the affected package version.
Dependency management controls: Organizations running vulnerable versions lacked mechanisms to identify and flag critical dependency updates. If your team discovered this CVE through a security bulletin rather than automated dependency scanning, you have a gap.
Platform-specific testing controls: The vulnerability affected only non-Windows systems, suggesting insufficient cross-platform security testing during development. If you deploy ASP.NET Core on Linux containers but your security testing happens primarily on Windows development machines, you're missing platform-specific attack vectors.
What the Relevant Standards Require
PCI DSS v4.0.1 Requirement 6.3.2 mandates that security vulnerabilities are identified and addressed based on risk rankings. A CVSS 9.1 vulnerability in a framework handling authentication and encryption qualifies as high-risk. You must have a process to identify this type of flaw within your defined timeframes—typically 30 days for high-severity issues.
Requirement 6.3.3 specifically requires maintaining an inventory of bespoke and custom software and third-party software components. If you can't answer "which applications in our environment use Microsoft.AspNetCore.DataProtection 10.0.6" within an hour, you're non-compliant. The requirement exists precisely for scenarios like this.
OWASP ASVS v4.0.3 Section 6.2 (Cryptography at Rest) requires that your application uses approved cryptographic modules and that cryptographic operations fail securely. When a framework-level cryptographic verification fails, your application should reject the operation—not grant elevated privileges. This vulnerability violated that principle.
ISO 27001 Control 8.8 (Management of Technical Vulnerabilities) requires you to obtain timely information about technical vulnerabilities, evaluate exposure, and take appropriate measures. The control explicitly mentions evaluating the risks associated with identified vulnerabilities and implementing patches or other mitigations.
NIST 800-53 Rev 5 SI-2 (Flaw Remediation) requires you to identify, report, and correct system flaws, test software updates before installation, and install security-relevant updates within organizationally-defined time periods. For critical vulnerabilities affecting authentication or privilege systems, that window should be measured in days, not weeks.
Lessons and Action Items for Your Team
Implement automated dependency scanning immediately: Tools like OWASP Dependency-Check, Snyk, or GitHub Dependabot should flag CVE-2026-40372 the moment it's published. Configure these to run on every build and block deployments with critical vulnerabilities. Your pipeline should have failed when trying to deploy an application with DataProtection 10.0.6 after the CVE disclosure.
Maintain a complete software bill of materials (SBOM): You need a queryable inventory of every package, version, and transitive dependency in production. When Microsoft publishes a critical ASP.NET Core CVE, you should be able to identify affected applications in minutes. CycloneDX or SPDX formats work well for this. Store your SBOMs in a searchable system—spreadsheets don't scale.
Test cryptographic operations across all deployment platforms: If you develop on Windows but deploy to Linux containers, your security testing must include Linux environments. Cryptographic libraries behave differently across platforms. Set up CI/CD pipelines that run security tests on the same OS and architecture as your production environment.
Define and enforce patching SLAs based on CVSS scores: A 9.1 severity vulnerability in a framework component should trigger your emergency patching process. Document your response times: CVSS 9.0+ within 7 days, 7.0-8.9 within 30 days, below 7.0 within 90 days. These should align with your compliance requirements and risk tolerance.
Verify cryptographic operations fail closed: Review how your application handles cryptographic verification failures. If signature validation fails, does your code reject the request, or does it fall back to a permissive mode? The DataProtection vulnerability demonstrates why fail-open cryptography is catastrophic. Your code should throw exceptions and halt processing when verification fails.
Audit privilege escalation paths: Map how an attacker could move from exploiting a framework vulnerability to gaining SYSTEM privileges. This CVE provided a direct path, but your architecture should include defense in depth. Run applications with minimal privileges, use security contexts to limit escalation, and monitor for unusual privilege changes.
Subscribe to security advisories for your entire stack: Don't wait for news aggregators. Subscribe directly to Microsoft Security Response Center updates, .NET security announcements, and security mailing lists for every framework you use. When a critical CVE drops, you should know within hours, not days.
The CVE-2026-40372 vulnerability wasn't caused by your code—it was in Microsoft's framework. But your exposure to it is entirely your responsibility. Patch management isn't glamorous, but it's the control that prevents SYSTEM-level compromises from a single outdated package.
