ASP.NET Core Data Protection privilege escalation (CVE-2026-40372)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-40372 in ASP.NET Core Data Protection can let unauthenticated attackers forge authentication cookies and gain SYSTEM privileges on affected devices. Microsoft says the flaw affects Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 and is fixed by 10.0.7. The issue matters because forged payloads can pass authenticity checks and remain useful until the DataProtection key ring is rotated.
Related Happenings
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/Mitigation
First: 20.05.2026 10:31
Last: 20.05.2026 10:31
Sources 1
About this happening:
Microsoft issued **mitigation guidance** for **YellowKey**, a **Windows BitLocker zero-day** that can expose **BitLocker-protected drives** before the security update is available...
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/MitigationAbout this happening: Microsoft issued **mitigation guidance** for **YellowKey**, a **Windows BitLocker zero-day** that can expose **BitLocker-protected drives** before the security update is available...
Azure Backup for AKS privilege escalation flaw
Vulnerability
First: 16.05.2026 23:55
Last: 16.05.2026 23:55
Sources 1
About this happening:
A **critical Azure Backup for AKS** privilege-escalation flaw was independently validated, exposing Kubernetes clusters to **cluster-admin** takeover from the low-privileged **Bac...
Azure Backup for AKS privilege escalation flaw
VulnerabilityAbout this happening: A **critical Azure Backup for AKS** privilege-escalation flaw was independently validated, exposing Kubernetes clusters to **cluster-admin** takeover from the low-privileged **Bac...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/Service
First: 15.05.2026 17:49
Last: 15.05.2026 17:49
Sources 1
About this happening:
**Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/ServiceAbout this happening: **Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Windows 11 BitLocker bypass YellowKey security flaw
Vulnerability
First: 14.05.2026 10:27
Last: 14.05.2026 10:27
Sources 1
About this happening:
**YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Windows 11 BitLocker bypass YellowKey security flaw
VulnerabilityAbout this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that can expose **BitLocker-protected drives** through the **Windows Recovery Enviro...
Latest development: 20.05.2026 10:31
Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/Service
First: 03.05.2026 21:11
Last: 03.05.2026 21:11
Sources 1
About this happening:
**Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/ServiceAbout this happening: **Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Timeline
-
22.04.2026 11:08 2 articles · 1mo ago
Microsoft releases emergency patches for CVE-2026-40372
Initial DisclosureMicrosoft released out-of-band security updates for CVE-2026-40372 affecting ASP.NET Core Data Protection after user reports that decryption was failing in applications that installed .NET 10.0.6 during Patch Tuesday. Microsoft said a regression in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 could let unauthenticated attackers forge authentication cookies, gain SYSTEM privileges, disclose files, and modify data, and it advised updating to 10.0.7, redeploying affected applications, and rotating the DataProtection key ring so forged tokens are rejected.
Show sources
- Microsoft releases emergency patches for critical ASP.NET flaw — www.bleepingcomputer.com — 22.04.2026 11:08
- Microsoft releases emergency patches for critical ASP.NET flaw — www.bleepingcomputer.com — 22.04.2026 11:08