Microsoft has released an emergency patch for a high-severity vulnerability in its ASP.NET Core framework, affecting macOS and Linux applications. Tracked as CVE-2026-40372, the flaw allows unauthenticated attackers to gain SYSTEM privileges through forged authentication payloads. The company advises immediate updates and key rotation to fully mitigate risks.
Microsoft released version 10.0.7 of the Microsoft.AspNetCore.DataProtection NuGet package on Tuesday to fix CVE-2026-40372, which carries a severity score of 9.1 out of 10. The issue affects versions 10.0.0 through 10.0.6 and stems from a regression bug in last week's update to 10.0.6. This bug caused faulty cryptographic signature verification during HMAC validation, enabling attackers to forge credentials and elevate privileges on non-Windows systems running ASP.NET Core apps. ASP.NET Core is a high-performance framework for .NET applications on platforms including macOS, Linux, and Docker. The vulnerability leaves devices open to full compromise if exploited during the vulnerable period. Even after patching, legitimately signed tokens issued to attackers—such as session refreshes, API keys, or password reset links—remain valid unless the DataProtection key ring is rotated, Microsoft warned. Affected users include those on macOS or Linux whose applications load version 10.0.6 at runtime, particularly if they do not target Microsoft.NET.Sdk.Web or have certain framework references without opting out of PrunePackageReference. Windows apps are unaffected due to different default encryptors. Microsoft urges updating to 10.0.7 immediately, rotating keys for internet-exposed endpoints, and auditing application artifacts created during vulnerability exposure.