Microsoft Rushes Out Critical Patch for ASP.NET Core Flaw Affecting Linux, macOS Systems

By

Microsoft has released an emergency patch for a high-severity vulnerability in ASP.NET Core that could allow unauthenticated attackers to gain SYSTEM privileges on Linux and macOS machines. The flaw, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, a core component of the framework.

“This is a critical issue that requires immediate attention,” said Jane Hammond, a vulnerability researcher at CyberSec Labs. “Attackers can exploit this without any authentication, giving them full control over the underlying system.” The vulnerability originates from a faulty verification of cryptographic signatures, allowing threat actors to forge authentication payloads during the HMAC validation process.

Background

ASP.NET Core is a cross-platform web framework used to build modern applications on Linux, macOS, and Windows. The Microsoft.AspNetCore.DataProtection package provides encryption and signing services for data protection. HMAC (Hash-based Message Authentication Code) is used to verify data integrity and authenticity between client and server.

The flaw means that during the time users ran a vulnerable version, unauthenticated attackers could forge credentials that survive even after the patch is applied. “Patching alone is not enough,” added Hammond. “Any authentication tokens created by an attacker must be systematically purged to prevent lingering backdoor access.”

What This Means

Organizations using affected versions must immediately patch their systems and then rotate or invalidate all existing authentication secrets. Failure to do so could leave machines compromised even after the update. Microsoft strongly recommends regenerating any data protection keys and clearing persistent session tokens created during the vulnerable window.

“This is not a typical bug—it allows long-term compromise if not fully remediated,” said Alex Rivera, a cybersecurity consultant. “Enterprises should treat this as a breach response, not just a patch cycle.” The advisory from Microsoft emphasizes that forged credentials can bypass later fixes, making post-patch cleanup essential.

Action steps for administrators:

• Update to Microsoft.AspNetCore.DataProtection version 10.0.7 or later immediately.
• Revoke all existing data protection keys and generate new ones.
• Force a logout for all users and invalidate any session tokens created before the patch.

The urgency is amplified because the flaw impacts cross-platform deployments, which are often used in containerized environments. “This vulnerability exposes a fundamental gap in cryptographic validation,” noted Rivera. “Every organization using ASP.NET Core on Linux or macOS should treat this as top priority.”

Microsoft has not reported active exploitation but warns that proof-of-concept code could be publicly available soon. The company urges users to apply the patch and follow the post-password cleanup procedures outlined in its security advisory.

Related Articles

• Ubuntu Pro Setup in Security Center: Your Top Questions Answered
• Apple’s macOS 27 Set for June Debut: Siri Gets AI Overhaul, Touch Support Leaks
• Meta's Secret Plan for Face Recognition Smart Glasses Exposed Amid Political Distractions
• Firefox 151: Enhanced Privacy, VPN Multi-Location, and Critical Security Fixes
• Kubernetes SELinux Mount Optimization: What v1.36 Means for Your Cluster
• Apple Rolls Out Safari Technology Preview 242 with Major CSS and Accessibility Fixes
• Safari Technology Preview 242: Key Updates and Improvements
• The Googlebook Platform: A Comprehensive Guide to Android-Powered Laptops with Gemini Intelligence