Microsoft Issues Emergency Patch for Critical ASP.NET Core Vulnerability on macOS and Linux

A critical ASP.NET Core vulnerability is actively threatening macOS and Linux servers, allowing unauthenticated attackers to seize full SYSTEM privileges. Tracked as CVE-2026-40372, this high-severity flaw forces developers to immediately patch their environments and rotate security keys to prevent total machine compromise. Microsoft released an emergency out-of-band update to address the issue, which stems from a faulty verification of cryptographic signatures.

The vulnerability affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package. Microsoft announced that the critical flaw can be exploited to allow unauthenticated attackers to forge authentication payloads during the HMAC validation process. This process is essential for verifying the integrity and authenticity of data exchanged between a client and a server.

Microsoft describes ASP.NET Core as a high-performance web development framework for writing.NET apps across multiple operating systems. The bug was discovered as a regression issue while Microsoft was investigating reports of decryption failures in applications using a recent update. The company explained that the managed authenticated encryptor computed its HMAC validation tag over the wrong bytes of the payload and then discarded the computed hash, leading to the elevation of privilege.

Patching the software is only the first step, as the maximum severity rating for CVE-2026-40372 sits at a staggering 9.1 out of 10. During the window when users ran a vulnerable version of the package, attackers could have forged payloads to authenticate as privileged users. This means the application may have issued legitimately-signed tokens, such as session refreshes, API keys, or password reset links, directly to the threat actors.

These forged tokens remain completely valid even after upgrading to version 10.0.7. If an attacker successfully generated these credentials before the patch was applied, they retain full access to the compromised system unless specific cryptographic keys are manually rotated by the server administrators.

Affected users are primarily those running version 10.0.6 on macOS, Linux, or any other non-Windows OS. Windows applications are generally not affected because the DataProtection feature uses different encryptors by default that do not contain this specific bug.

Because forged credentials can survive a standard software update, system administrators must take a multi-step approach to fully remediate this vulnerability. Microsoft provides detailed instructions here, which include the following critical actions:

• Update the Package: Immediately update the Microsoft.AspNetCore.DataProtection package to version 10.0.7 to fix the decryption regression and close the security vulnerability.
• Rotate the Key Ring: You must rotate the DataProtection key ring if your applications served Internet-exposed endpoints while running a vulnerable version (10.0.0 through 10.0.6).
• Audit Long-Lived Artifacts: Manually audit application-level long-lived artifacts that may have been created during the vulnerable window. These artifacts survive key rotation and must be rotated at the application layer.

The emergence of CVE-2026-40372 highlights a growing friction point in modern software development: cross-platform frameworks expand the attack surface in unpredictable ways. While ASP.NET Core is celebrated for allowing developers to write code once and deploy it across Windows, macOS, and Linux, this vulnerability demonstrates how OS-specific implementations can create severe blind spots. The fact that Windows servers remained immune while macOS and Linux environments were exposed to full SYSTEM takeovers underscores the difficulty of maintaining uniform security standards across diverse architectures.

Furthermore, this incident reinforces a critical shift in cybersecurity hygiene. The era of simply applying a patch and walking away is over. Because threat actors can now forge legitimately-signed tokens that survive software updates, incident response must evolve to include mandatory credential auditing and key rotation as standard practice. Developers relying on open-source packages must assume that any window of vulnerability has already been exploited, treating post-patch cleanup with the same urgency as the patch itself.