CVE-2026-40372: Critical ASP.NET Core Flaw May Let Attackers Gain SYSTEM Privileges

Microsoft patched CVE-2026-40372, a critical ASP.NET Core Data Protection flaw (CVSS 9.1) present in Microsoft.AspNetCore.DataProtection 10.0.0–10.0.6 that can let attackers forge authentication material (cookies, antiforgery tokens, OpenID state) and potentially escalate to SYSTEM on non-Windows hosts if the vulnerable NuGet is loaded at runtime; mitigation requires upgrading to 10.0.7, redeploying affected apps, and rotating the Data Protection key ring to invalidate tokens issued during the vulnerable window.