Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw

Microsoft has addressed a critical privilege escalation vulnerability in ASP.NET Core, identified as CVE-2026-40372, which carries a CVSS score of 9.1. This flaw allows attackers to elevate their privileges, potentially granting them SYSTEM-level access to sensitive files and data modification capabilities¹. The vulnerability was patched in ASP.NET Core version 10.0.7 through an out-of-band update, highlighting the severity of the issue. An anonymous researcher discovered the flaw, prompting Microsoft to release emergency fixes to mitigate the risk. Although the vulnerability does not impact system availability, it could still be exploited to gain significant control over a system. The exploitation status of CVE-2026-40372 is being closely monitored, and its active discussion involving Microsoft may escalate the need for immediate patching. This vulnerability matters to practitioners because it underscores the importance of prompt patch management to prevent potential privilege escalation attacks.