Microsoft has issued an emergency patch for a critical vulnerability in its ASP.NET Core framework, which could allow unauthenticated attackers to gain SYSTEM privileges on devices running Linux or macOS applications built with the framework.
The software giant disclosed the flaw on Tuesday evening, warning that the vulnerability, tracked as CVE-2026-40372, impacts versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package—a core component of ASP.NET Core used for data protection and cryptographic operations.
How the Vulnerability Works
The flaw stems from a faulty verification of cryptographic signatures, enabling attackers to forge authentication payloads during the HMAC validation process. This process is critical for verifying the integrity and authenticity of data exchanged between a client and a server. By exploiting this weakness, unauthenticated threat actors could bypass security controls and inject malicious payloads to escalate privileges.
Risks and Persistent Threats
Devices running vulnerable versions of the package were exposed to attacks that allowed unauthenticated individuals to gain SYSTEM-level access, compromising the entire underlying machine. Even after applying the patch, organizations must remain vigilant. Forged credentials created by attackers during the vulnerability window may persist post-patching, necessitating a thorough review and cleanup of authentication tokens and sessions.
Immediate Actions for Users
- Update immediately: Install the latest patched version of the Microsoft.AspNetCore.DataProtection NuGet package (version 10.0.7 or later).
- Audit credentials: Review and revoke any authentication tokens or sessions that may have been compromised during the vulnerability window.
- Monitor systems: Implement enhanced monitoring to detect any signs of exploitation or unauthorized access.
Microsoft has not reported any active exploitation of this vulnerability in the wild as of the time of disclosure. However, given the severity of the flaw, users are strongly advised to apply the patch without delay to mitigate potential risks.
Related articles
Fired IT Workers Accidentally Record Own Database Sabotage via Active Teams Call
Perhaps you remember Muneeb and Sohaib Akhter, the 34-year-old twin brothers we profiled earlier this week. Although they had the tech chops to commit...
Xbox Elite 3 Controller Leaked: New Images Reveal Design and Features Ahead of Launch
Hours after a smaller Xbox Cloud Gaming controller appeared online, Brazil's Anatel regulator has also accidentally published images of what appears t...
OpenAI Integrates Codex into ChatGPT Mobile App, Expanding AI Coding Capabilities
OpenAI is going to let users access Codex, its desktop AI tool that can write code and use apps on your computer, from the ChatGPT app on your phone....
Microsoft Reverses Course: Cancels Majority of Claude Code Licenses, Shifts Focus to Copilot CLI
Microsoft first started opening up access to Claude Code in December, inviting thousands of its own developers to use Anthropic's AI coding tool daily...
Colorado's Age-Gating Bill Sparks Backlash from Linux Developers Over Privacy Concerns
In January, Colorado lawmakers introduced a proposal to make operating systems collect users' ages and pass them to app developers. The bill, SB26-051...
Microsoft’s Tiny Unreleased Cloud Controller Spotted: Direct Wi-Fi Connection Boosts Xbox Cloud Gaming Latency
It reportedly uses Wi-Fi to directly connect to the Xbox Cloud Gaming service, for lower latency.
Windows 11 BitLocker Bypassed by Zero-Day Exploit 'YellowKey' in Seconds
A zero-day exploit circulating online allows people with physical access to a Windows 11 system to bypass default BitLocker protections and gain compl...
OpenAI Confirms No User Data Accessed in ChatGPT Mac App Security Breach
OpenAI found no evidence that user data was accessed.