Microsoft issues out-of-band patch for critical security flaw in update to ASP.NET Core
Summary
Microsoft has released an out-of-band patch to fix a critical security flaw introduced in a recent ASP.NET Core update. The vulnerability, tracked as CVE-2026-40372, allows attackers to forge payloads and decrypt sensitive data within application cookies and tokens.
IFF Assessment
This vulnerability allows attackers to forge payloads and decrypt sensitive data, directly impacting the integrity and confidentiality of web applications.
Severity
The vulnerability has a CVSS score of 9.1 due to its critical severity, allowing for remote code execution or significant data compromise via forged authentication tokens.
Defender Context
This highlights the importance of rapid patching for critical software components like ASP.NET Core. Developers should prioritize applying this out-of-band update to protect against potential exploitation of forged payloads and decrypted sensitive data.