ASP.NET Core Data Protection privilege escalation (CVE-2026-40372)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2026-40372 in ASP.NET Core Data Protection can let unauthenticated attackers forge authentication cookies and gain SYSTEM privileges on affected devices. Microsoft says the flaw affects Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 and is fixed by 10.0.7. The issue matters because forged payloads can pass authenticity checks and remain useful until the DataProtection key ring is rotated.
Related Happenings
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/Mitigation
H score32
First: 20.05.2026 10:31
Last: 20.05.2026 10:31
Sources 1
About this happening:
**Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...
Windows BitLocker YellowKey mitigation guidance (CVE-2026-45585)
Advisory/MitigationAbout this happening: **Windows BitLocker** **YellowKey** (**CVE-2026-45585**) moved from interim mitigation to patch status after **Microsoft** fixed it in **June 2026 Patch Tuesday**. The **Windows R...
Latest development: 10.06.2026 12:57
On Tuesday, Microsoft fixed YellowKey (CVE-2026-45585) as part of its June 2026 Patch Tuesday updates and shared mitigation measures for the Windows Recovery Environment backdoor. The flaw affects unpatched Windows 11 and Windows Server 2022/2025 systems and can let attackers with physical access bypass BitLocker protection on targeted devices.
Azure Backup for AKS privilege escalation flaw
Vulnerability
H score22
First: 16.05.2026 23:55
Last: 16.05.2026 23:55
Sources 1
About this happening:
A **critical Azure Backup for AKS** privilege-escalation flaw was independently validated, exposing Kubernetes clusters to **cluster-admin** takeover from the low-privileged **Bac...
Azure Backup for AKS privilege escalation flaw
VulnerabilityAbout this happening: A **critical Azure Backup for AKS** privilege-escalation flaw was independently validated, exposing Kubernetes clusters to **cluster-admin** takeover from the low-privileged **Bac...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/Service
H score10
First: 15.05.2026 17:49
Last: 15.05.2026 17:49
Sources 1
About this happening:
**Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Microsoft Edge stops loading saved passwords into cleartext memory at startup
Security Tool/ServiceAbout this happening: **Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...
Windows 11 BitLocker bypass YellowKey security flaw
Vulnerability
H score7
First: 14.05.2026 10:27
Last: 14.05.2026 10:27
Sources 1
About this happening:
**YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that affects the **Windows Recovery Environment (WinRE)** path and can expose **BitL...
Windows 11 BitLocker bypass YellowKey security flaw
VulnerabilityAbout this happening: **YellowKey** is a **Windows BitLocker security feature bypass** tracked as **CVE-2026-45585** that affects the **Windows Recovery Environment (WinRE)** path and can expose **BitL...
Latest development: 20.05.2026 10:31
Microsoft assigned CVE-2026-45585 to YellowKey, a Windows BitLocker security feature bypass, and recommended removing autofstx.exe from the Session Manager BootExecute REG_MULTI_SZ value, reestablishing BitLocker trust for WinRE, and moving already encrypted devices from TPM-only to TPM+PIN to require a pre-boot PIN.
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/Service
H score11
First: 03.05.2026 21:11
Last: 03.05.2026 21:11
Sources 1
About this happening:
**Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/ServiceAbout this happening: **Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Timeline
-
22.04.2026 11:08 2 articles · 2mo ago
Microsoft releases emergency patches for CVE-2026-40372
Initial DisclosureMicrosoft released out-of-band security updates for CVE-2026-40372 affecting ASP.NET Core Data Protection after user reports that decryption was failing in applications that installed .NET 10.0.6 during Patch Tuesday. Microsoft said a regression in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 could let unauthenticated attackers forge authentication cookies, gain SYSTEM privileges, disclose files, and modify data, and it advised updating to 10.0.7, redeploying affected applications, and rotating the DataProtection key ring so forged tokens are rejected.
Show sources
- Microsoft releases emergency patches for critical ASP.NET flaw — www.bleepingcomputer.com — 22.04.2026 11:08
- Microsoft releases emergency patches for critical ASP.NET flaw — www.bleepingcomputer.com — 22.04.2026 11:08