Microsoft has released an emergency patch for ASP.NET Core to fix a high-severity vulnerability that could allow unauthenticated attackers to gain SYSTEM privileges on macOS and Linux devices running the Web development framework.
The flaw, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, a component of the framework used by .NET apps across platforms.
The bug stems from faulty verification of cryptographic signatures, enabling attackers to forge authentication payloads during the HMAC validation process and potentially take over a target server.
Microsoft warns that forged credentials may persist after applying the patch. If an attacker issued forged tokens during the vulnerable window, they could appear valid even after upgrading to 10.0.7 unless the DataProtection key ring is rotated.
The company recommends upgrading to 10.0.7, rotating the DataProtection key ring, and auditing any long‑lived artifacts that could still be exploited at the application layer. ASP.NET Core is described as a high‑performance, cross‑platform framework for writing .NET apps that run on Windows, macOS, Linux, and Docker. The maximum severity rating for CVE-2026-40372 is 9.1 out of 10.
