Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Microsoft out-of-band security update for ASP.NET Core Data Protection (CVE-2026-40372)

Security Patch Release
First reported
Last updated
Happening score
H score 26
1 unique sources, 1 articles

Summary

Hide ▲

Microsoft released out-of-band security updates for CVE-2026-40372, an ASP.NET Core Data Protection flaw that could let attackers forge authentication cookies and gain SYSTEM privileges on affected systems. The emergency fix affects Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 and requires customers to move to 10.0.7 and rotate the DataProtection key ring to invalidate potentially forged tokens.

Related Happenings

Azure Backup for AKS Trusted Access permission tightening

Security Patch Release
First: 16.05.2026 23:55 Last: 16.05.2026 23:55 Sources 1

About this happening: **Microsoft** appears to have silently tightened **Azure Backup for AKS**, closing a **Trusted Access** authorization path that could let a low-privileged role reach **cluster-adm...

Open Happening

Microsoft Edge stops loading saved passwords into cleartext memory at startup

Security Tool/Service
First: 15.05.2026 17:49 Last: 15.05.2026 17:49 Sources 1

About this happening: **Microsoft Edge** is changing its built-in password manager so **saved passwords** are no longer loaded into **process memory in clear text** at startup, reducing the risk of loc...

Open Happening

Microsoft May 2026 Patch Tuesday release

Security Patch Release
First: 13.05.2026 13:36 Last: 13.05.2026 13:36 Sources 1

About this happening: Microsoft's **May 13, 2026 Patch Tuesday** release fixed **138 vulnerabilities** across its product portfolio, including **Windows**, **Azure**, and **Edge**. None of the flaws we...

Open Happening

Microsoft Windows 11 mandatory Patch Tuesday updates (KB5089549, KB5087420)

Security Patch Release
First: 12.05.2026 21:09 Last: 12.05.2026 21:09 Sources 1

About this happening: Microsoft released **mandatory Windows 11 cumulative updates** for **KB5089549** and **KB5087420**, delivering the **May 2026 Patch Tuesday** fixes for **120 vulnerabilities** acr...

Open Happening

Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store

Security Tool/Service
First: 03.05.2026 21:11 Last: 03.05.2026 21:11 Sources 1

About this happening: **Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...

Open Happening

Timeline

  1. 22.04.2026 11:08 2 articles · 1mo ago

    Microsoft releases OOB patch for CVE-2026-40372

    Mitigation Patch Update

    Microsoft released out-of-band security updates to patch CVE-2026-40372 in ASP.NET Core Data Protection. The critical flaw in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 could let unauthenticated attackers forge authentication cookies and gain SYSTEM privileges on affected devices.

    Show sources
    Open in new tab
  2. 22.04.2026 11:08 1 articles · 1mo ago

    Microsoft details the Microsoft.AspNetCore.DataProtection regression

    Technical Analysis Update

    Microsoft said a regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and, in some cases, discard the computed hash. The broken validation can let attackers forge payloads that pass DataProtection authenticity checks, decrypt protected payloads such as auth cookies, antiforgery tokens, TempData, and OIDC state, and keep issued tokens valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.

    Show sources
    Open in new tab