Microsoft issues emergency ASP.NET update for critical authentication flaw
Original: Microsoft issues emergency update for macOS and Linux ASP.NET threat
Why This Matters
Critical security flaw in widely-used web framework threatens enterprise applications
Microsoft released emergency patch for CVE-2026-40372, a high-severity vulnerability in ASP.NET Core versions 10.0.0-10.0.6 affecting macOS and Linux apps. The flaw allows unauthenticated attackers to gain SYSTEM privileges through forged authentication payloads.
Microsoft patched a critical vulnerability (CVE-2026-40372) in its ASP.NET Core framework that affects the Microsoft.AspNetCore.DataProtection NuGet package versions 10.0.0 through 10.0.6. The flaw, rated 9.1/10 severity, stems from faulty cryptographic signature verification that allows unauthenticated attackers to forge authentication payloads during HMAC validation. This enables full system compromise on Linux and macOS devices. The vulnerability was discovered while investigating decryption failures after a recent package update. Microsoft warns that forged credentials created during the vulnerable window may remain valid even after patching unless the DataProtection key ring is rotated. Users should immediately update to version 10.0.7.