Full Report
Microsoft security advisory (AV26-377)
Analysis Summary
# Vulnerability: ASP.NET Core Elevation of Privilege
## CVE Details
- **CVE ID:** CVE-2026-40372
- **CVSS Score:** Critical (Specific numerical score not provided in advisory, but categorized as "Critical")
- **CWE:** Not specified (categorized as Elevation of Privilege)
## Affected Systems
- **Products:** Microsoft .NET / ASP.NET Core
- **Versions:** 10.0.0 through 10.0.6
- **Configurations:** Systems running applications built on the affected .NET 10 versions.
## Vulnerability Description
This is an Elevation of Privilege (EoP) vulnerability within ASP.NET Core. While specific technical root causes (such as memory corruption or logic flaws) are not detailed in the brief advisory, EoP vulnerabilities in this framework typically allow an attacker to gain higher permissions than those originally granted, potentially leading to unauthorized access to sensitive data or administrative functions.
## Exploitation
- **Status:** Not specified (Out-of-band release suggests high priority/criticality).
- **Complexity:** Not specified.
- **Attack Vector:** Not specified (Typically Network for ASP.NET Core vulnerabilities).
## Impact
- **Confidentiality:** High (Potential unauthorized access to data).
- **Integrity:** High (Potential unauthorized modification of system state).
- **Availability:** Not specified.
## Remediation
### Patches
Microsoft has released an out-of-band (OOB) security update to address this flaw. Users should upgrade to:
- **.NET 10.0.7** or later.
### Workarounds
- No specific workarounds are provided in the advisory. Immediate patching is the recommended course of action.
## Detection
- **Indicators of compromise:** Monitor for unusual account activity or elevation of user privileges within ASP.NET applications.
- **Detection methods and tools:** Audit installed .NET runtime and SDK versions across the environment to identify vulnerable versions (10.0.0–10.0.6).
## References
- **Vendor advisories:** hxxps[://]msrc[.]microsoft[.]com/update-guide/vulnerability/CVE-2026-40372
- **Relevant links:** hxxps[://]devblogs[.]microsoft[.]com/dotnet/dotnet-10-0-7-oob-security-update/
- **Cyber Centre Advisory:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/microsoft-security-advisory-av26-377