Breaking
CN国家发改委紧急安排1亿元支持广西台风灾后应急恢复RUРоссиянин впал в кому после ДТП во Вьетнаме, близкие собирают средства на лечениеINTLMelbourne Footballer Dies After On-Field Head Clash and FallRUСловакия поддержит итоги саммита НАТО, но откажется от финансовой военной помощи УкраинеITNipote di Raúl Castro pronto a negoziare con TrumpTRİzmir'de Geri Dönüşüm Fabrikasında Yangın: Gökyüzü Dumanla KaplandıARالصحافة البرازيلية تصف الهزيمة أمام النرويج بـ "الصدمة الجديدة" وتفتح ملف الفشل أمام الأوروبيينESFrancia enfrenta una prematura temporada de incendios tras ola de calorAUChina warns Australia over Pacific military alliance with FijiCN河南夏收结束,秸秆去哪儿了?离田利用率低成难题CN国家发改委紧急安排1亿元支持广西台风灾后应急恢复RUРоссиянин впал в кому после ДТП во Вьетнаме, близкие собирают средства на лечениеINTLMelbourne Footballer Dies After On-Field Head Clash and FallRUСловакия поддержит итоги саммита НАТО, но откажется от финансовой военной помощи УкраинеITNipote di Raúl Castro pronto a negoziare con TrumpTRİzmir'de Geri Dönüşüm Fabrikasında Yangın: Gökyüzü Dumanla KaplandıARالصحافة البرازيلية تصف الهزيمة أمام النرويج بـ "الصدمة الجديدة" وتفتح ملف الفشل أمام الأوروبيينESFrancia enfrenta una prematura temporada de incendios tras ola de calorAUChina warns Australia over Pacific military alliance with FijiCN河南夏收结束,秸秆去哪儿了?离田利用率低成难题
Newsgather
BackMicrosoft Issues Emergency Patch for Critical ASP.NET Core Vulnerability Allowing SYSTEM Privilege Escalation
Microsoft Issues Emergency Patch for Critical ASP.NET Core Vulnerability Allowing SYSTEM Privilege Escalation
Urgent
Ars Technica4/22/2026Tech2 min readUnited States

Microsoft Issues Emergency Patch for Critical ASP.NET Core Vulnerability Allowing SYSTEM Privilege Escalation

CVE-2026-40372 affects Microsoft.AspNetCore.DataProtection NuGet versions 10.0.0-10.0.6 on Linux and macOS, with severity rating of 9.1/10

Quick Look

  • Microsoft released an emergency patch for a critical vulnerability (CVE-2026-40372) in ASP.NET Core's DataProtection NuGet package.
  • The flaw affects versions 10.0.0-10.0.6 on Linux and macOS systems, allowing unauthenticated attackers to forge authentication payloads and gain SYSTEM privileges.
  • The vulnerability stems from faulty HMAC signature verification.

AI-generated summary

Why It Matters

ASP.NET Core is a high-performance web development framework for .NET apps running on Windows, macOS, Linux, and Docker. The Microsoft.AspNetCore.DataProtection NuGet package is used to verify integrity and authenticity of data exchanged between clients and servers using HMAC validation.

Font size

Microsoft released an emergency patch for its ASP.NET Core to fix a high-severity vulnerability that allows unauthenticated attackers to gain SYSTEM privileges on devices that use the Web development framework to run Linux or macOS apps. The software maker said Tuesday evening that the vulnerability, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet, a package that's part of the framework. The critical flaw stems from a faulty verification of cryptographic signatures. It can be exploited to allow unauthenticated attackers to forge authentication payloads during the HMAC validation process, which is used to verify the integrity and authenticity of data exchanged between a client and a server. Beware: Forged credentials survive patching. During the time users ran a vulnerable version of the package, they were left open to an attack that would allow unauthenticated people to gain sensitive SYSTEM privileges that would allow full compromise of the underlying machine. Even after the vulnerability is patched, devices may still be compromised if authentication credentials created by a threat actor aren't purged. "If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves," Microsoft said. "Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated." Microsoft describes ASP.NET Core as a "high-performance" web development framework for writing .Net apps that run on Windows, macOS, Linux, and Docker. The open-source package is "designed to allow runtime components, APIs, compilers, and languages [to] evolve quickly, while still providing a stable and supported platform to keep apps running." Last week, Microsoft updated the package. While investigating reports that decryption was failing in applications using the new version, the company discovered a regression bug that allowed the managed authenticated encryptor to "compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash, which could result in elevation of privilege," Microsoft said. The maximum severity rating for CVE-2026-40372 is 9.1 out of 10. "If your application uses ASP.NET Core Data Protection, update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon as possible to address the decryption regression and security vulnerability," Microsoft advised. Affected users are primarily those who used version 10.0.6 that was actually loaded at runtime on macOS, Linux, or any other non-Windows OS. This condition occurs when either the application (1) doesn't target the Microsoft.NET.Sdk.Web or (2) has a Microsoft.AspNetCore.App framework reference either directly or transitively, and users haven't opted out of PrunePackageReference, which is enabled by default in .NET 10. A smaller set of users are affected when their non-Windows application or library (1) used any vulnerable version and referenced Microsoft.AspNetCore.DataProtection versions and (2) the build consumed the net462 or netstandard2.0 target framework asset of the vulnerable package. Windows apps aren't affected because DataProtection by default uses encryptors that don't contain the bug. As noted earlier, updating is only the first step in the remediation process. Users should also rotate the DataProtection key ring if their applications served Internet-exposed endpoints while using a vulnerable version. The company advised affected users to audit application-level long-lived artifacts that may have been created during that time. These artifacts will survive key rotation and must be rotated at the application layer. Microsoft provides much more detailed instructions here.

What to Watch

AI outlook — possibilities, not facts

  • More organizations will disclose similar vulnerabilities in cryptographic implementations in other frameworks

    Possible · Within months

  • Microsoft will release additional guidance on key rotation procedures

    Likely · Within weeks

Open Questions

  • How many systems were actually compromised during the vulnerable window
  • Whether any threat actors actively exploited this vulnerability in the wild
  • Specific timeline of when Microsoft first became aware of the vulnerability

Related Topics

This article was originally published by Ars Technica.

Related Stories

More on this topiccybersecurity vulnerability