CVE-2026-40372

Published Apr 21, 2026

Last updated 2 months ago

CVSS critical 9.1
Network

Overview

Description
Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network.
Source
secure@microsoft.com
NVD status
Analyzed
Products
asp.net_core

Risk scores

CVSS 3.1

Type
Primary
Base score
9.1
Impact score
5.2
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Severity
CRITICAL

Weaknesses

secure@microsoft.com
CWE-347

Social media

Hype score
Not currently trending

  1. CVE-2026-40372. The Invisible Forgery: CVE-2026-40372's HMAC Regression Turns https://t.co/3SrH0yayJ7 Core's DataProtection Into a Master Key

    @lyrie_ai

    16 Jun 2026

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  2. Top 5 Trending CVEs: 1 - CVE-2026-25253 2 - CVE-2026-3888 3 - CVE-2026-40372 4 - CVE-2025-59536 5 - CVE-2026-26144 #cve #cvetrends #cveshield #cybersecurity https://t.co/4Fua3CAN6W

    @CVEShield

    23 Apr 2026

    194 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Cisco Catalyst SD-WAN Manager Improper Encoding or Escaping of Output VulnerabilityCVE-2026-20245
  2. Palo Alto Networks PAN-OS Authentication Bypass VulnerabilityCVE-2026-0257
  3. A vulnerability in Cisco ISE and Cisco ISE-PIC could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have valid administrative credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker to obtain user-level access to the underlying operating system and then elevate privileges to root. In single-node ISE deployments, successful exploitation of this vulnerability could cause the affected ISE node to become unavailable, resulting in a denial of service (DoS) condition. In that condition, endpoints that have not already authenticated would be unable to access the network until the node is restored.CVE-2026-20147
  4. Concurrent execution using shared resource with improper synchronization ('race condition') in Windows TCP/IP allows an unauthorized attacker to execute code over a network.CVE-2026-33827
  5. Double free in Windows IKE Extension allows an unauthorized attacker to execute code over a network.CVE-2026-33824

References

Sources include official advisories and independent security research.