ACCORDING to Microsoft, an emergency patch was released for ASP[.]NET Core to fix a high-severity vulnerability that could allow unauthenticated attackers to gain SYSTEM privileges on Linux or macOS hosts running the framework. The flaw, tracked as CVE-2026-40372, affects Microsoft.AspNetCore[.]DataProtection versions 10.0.0 through 10.0.6 and stems from a faulty verification of cryptographic signatures, enabling forged authentication payloads during the HMAC validation process.
Even after applying the update to 10.0.7, devices may still be compromised if authentication credentials created by an attacker during the vulnerable window are not purged, as those tokens can remain valid. Microsoft warns that forged payloads used to authenticate as a privileged user could lead the application to issue legitimately signed tokens to the attacker unless the DataProtection key ring is rotated.
Windows applications are not affected because DataProtection by default uses encryptors that do not contain the bug. Users are advised to rotate the DataProtection key ring and audit long-lived artifacts at the application layer, in addition to updating the package to 10.0.7.