A critical vulnerability in ASP.NET Core, tracked as CVE-2026-40372, has been patched by Microsoft in an out-of-band update, addressing a privilege escalation bug that could be exploited by attackers. The flaw, rated Important in severity, carries a high CVSS score of 9.1 out of 10.0, indicating a significant potential impact. The vulnerability is attributed to improper verification of cryptographic signatures, which could allow an attacker to escalate privileges. An anonymous researcher is credited with discovering and reporting the flaw. Microsoft's prompt action to release a patch underscores the potential risk associated with this vulnerability1. The exploitation status of CVE-2026-40372 is being closely monitored, and its resolution will determine whether this is a patch-now or monitor situation. This vulnerability matters to practitioners because it highlights the need for timely patches and updates to prevent potential privilege escalation attacks.