Microsoft released an emergency patch for a high-severity ASP.NET Core vulnerability (CVE-2026-40372) affecting macOS and Linux systems, allowing unauthenticated attackers to gain SYSTEM privileges through cryptographic signature forgery. The flaw impacts versions 10.0.0-10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package. Even after patching, systems may remain compromised if attacker-created authentication tokens aren't purged through key ring rotation.
Background
ASP.NET Core is Microsoft's open-source web development framework for building cross-platform applications on Windows, macOS, Linux, and Docker. The DataProtection package provides cryptographic services for securing authentication tokens and sensitive data.
- Source
- Ars Technica
- Published
- Apr 23, 2026 at 03:32 AM
- Score
- 8.0 / 10