Microsoft released an emergency patch for its ASP.NET Core to fix a high-severity vulnerability that allows unauthenticated attackers to gain SYSTEM privileges on devices that use the Web development framework to run Linux or macOS apps.
The software maker said Tuesday evening that the vulnerability, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet, a package that’s part of the framework. The critical flaw stems from a faulty verification of cryptographic signatures. It can be exploited to allow unauthenticated attackers to forge authentication payloads during the HMAC validation process, which is used to verify the integrity and authenticity of data exchanged between a client and a server.
Beware: Forged credentials survive patching
During the time users ran a vulnerable version of the package, they were left open to an attack that would allow unauthenticated people to gain sensitive SYSTEM privileges that would allow full compromise of the underlying machine. Even after the vulnerability is patched, devices may still be compromised if authentication credentials created by a threat actor aren’t purged.
“If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves,” Microsoft said. “Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated.”
Microsoft describes ASP.NET Core as a “high-performance” web development framework for writing .Net apps that run on Windows, macOS, Linux, and Docker. The open-source package is “designed to allow runtime components, APIs, compilers, and languages [to] evolve quickly, while still providing a stable and supported platform to keep apps running.”
Last week, Microsoft updated the package. While investigating reports that decryption was failing in applications using the new version, the company discovered a regression bug that allowed the managed authenticated encryptor to “compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash, which could result in elevation of privilege,” Microsoft said. The maximum severity rating for CVE-2026-40372 is 9.1 out of 10.
“If your application uses ASP.NET Core Data Protection, update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible to address the decryption regression and security vulnerability,” Microsoft advised.
Affected users are primarily those who used version 10.0.6 that was actually loaded at runtime on macOS, Linux, or any other non-Windows OS. This condition occurs when either the application (1) doesn’t target the Microsoft.NET.Sdk.Web or (2) has a Microsoft.AspNetCore.App framework reference either directly or transitively, and users haven’t opted out of PrunePackageReference, which is enabled by default in .NET 10.
A smaller set of users are affected when their non-Windows application or library (1) used any vulnerable version and referenced Microsoft.AspNetCore.DataProtection versions and (2) the build consumed the net462 or netstandard2.0 target framework asset of the vulnerable package. Windows apps aren’t affected because DataProtection by default uses encryptors that don’t contain the bug.
As noted earlier, updating is only the first step in the remediation process. Users should also rotate the DataProtection key ring if their applications served Internet-exposed endpoints while using a vulnerable version. The company advised affected users to audit application-level long-lived artifacts that may have been created during that time. These artifacts will survive key rotation and must be rotated at the application layer.
Microsoft provides much more detailed instructions here.
