Digital Event Horizon
Microsoft has released an emergency patch for a high-severity vulnerability in its ASP.NET Core package, which could allow unauthenticated attackers to gain SYSTEM privileges on devices running Linux or macOS applications.
Microsoft has released an emergency patch to address a high-severity vulnerability in ASP.NET Core. The vulnerability, CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package. Unauthenticated attackers can exploit the vulnerability to forge authentication payloads and gain SYSTEM privileges on Linux or macOS devices. Affected users should update to version 10.0.7 and rotate their DataProtection key ring to prevent further attacks. Rotation of application-level long-lived artifacts is also crucial to prevent security breaches.
Microsoft has released an emergency patch to address a high-severity vulnerability in its ASP.NET Core package, which could allow unauthenticated attackers to gain SYSTEM privileges on devices running Linux or macOS applications. The vulnerability, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet and stems from a faulty verification of cryptographic signatures.
According to Microsoft, the critical flaw can be exploited to allow unauthenticated attackers to forge authentication payloads during the HMAC validation process, which is used to verify the integrity and authenticity of data exchanged between a client and a server. This could result in sensitive SYSTEM privileges being compromised, potentially leading to full compromise of the underlying machine.
The vulnerability affects users who are running ASP.NET Core applications on non-Windows platforms, such as Linux or macOS. Microsoft advises that affected users update their application to version 10.0.7 as soon as possible to address the decryption regression and security vulnerability. Additionally, users who have served Internet-exposed endpoints while using a vulnerable version of the package are advised to rotate their DataProtection key ring.
Even after updating to the patched version, devices may still be compromised if authentication credentials created by a threat actor during the vulnerable window are not purged. Microsoft emphasizes that rotation of the DataProtection key ring is crucial in preventing further attacks.
The company also advises affected users to audit application-level long-lived artifacts that may have been created during the time they were using a vulnerable version of the package. These artifacts will survive key rotation and must be rotated at the application layer.
Microsoft's ASP.NET Core is a high-performance web development framework designed for writing .NET applications that run on Windows, macOS, Linux, and Docker. The open-source package allows runtime components, APIs, compilers, and languages to evolve quickly while providing a stable and supported platform to keep apps running.
The vulnerability highlights the importance of timely patching and rotation of sensitive data to prevent security breaches. Microsoft's proactive response to this vulnerability is a testament to its commitment to ensuring the security and stability of its products.
Related Information:
https://www.digitaleventhorizon.com/articles/Microsoft-Releases-Emergency-Patch-for-ASPNET-Core-Vulnerability-deh.shtml
https://arstechnica.com/security/2026/04/microsoft-issues-emergency-update-for-macos-and-linux-asp-net-threat/
https://x.com/threatcluster/status/2046801275484880909
Published: Wed Apr 22 15:13:23 2026 by llama3.2 3B Q4_K_M
