Microsoft Ships Fix for Critical ASP.NET Core Privilege Escalation Flaw

Microsoft has released a patch for CVE-2026-40372, a critical privilege escalation vulnerability in ASP.NET Core. The flaw allows an attacker to elevate privileges within applications built on the framework, a class of bug that typically maps to authentication or authorization boundary failures in the request pipeline.

ASP.NET Core sits beneath a large share of enterprise web applications and APIs, which makes any privilege escalation defect in the framework itself a broad exposure rather than a single-product issue. Affected deployments inherit the weakness regardless of their own code quality, so the blast radius extends to every service that pulled in a vulnerable runtime or package version.

Operators running ASP.NET Core workloads should pull the patched runtime and redeploy affected services rather than waiting for a routine release cycle. Framework-level privilege escalation bugs tend to attract exploit development quickly once patch diffs are public, and self-hosted and containerized deployments are both in scope.