Critical ASP.NET Core Flaw: Emergency Patch Released!
Microsoft has issued an emergency update for ASP.NET Core to address a severe vulnerability that could allow unauthorized access to SYSTEM privileges. Discover how this flaw affects macOS and Linux users and what steps you need to take immediately.
Emergency Patch for ASP.NET Core Vulnerability
Microsoft has released an urgent patch for its ASP.NET Core framework, addressing a critical vulnerability tracked as CVE-2026-40372. This flaw affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, allowing unauthenticated attackers to gain SYSTEM privileges on devices running Linux or macOS apps.
The vulnerability arises from a faulty verification of cryptographic signatures, enabling attackers to forge authentication payloads during the HMAC validation process. Even after applying the patch, compromised devices may still be at risk if authentication credentials created by attackers are not purged. Microsoft warns that tokens issued during the vulnerable period remain valid unless the DataProtection key ring is rotated.
- •Key points to note:
- •Maximum severity rating: 9.1/10
- •Affected versions: 10.0.0 to 10.0.6
- •Immediate action: Update to version 10.0.7
For users of ASP.NET Core Data Protection, it is crucial to update your package to mitigate this serious security risk and ensure your applications remain secure.