Microsoft Releases Emergency Patch to Fix Critical ASP.NET Core Vulnerability
In a notable security update, Microsoft has addressed a high-severity vulnerability in its ASP.NET Core framework, which could allow unauthenticated attackers to gain SYSTEM privileges on devices operating Linux or macOS. This patch was released as an emergency response to the issue tracked as CVE-2026-40372.
Understanding the Vulnerability
The vulnerability primarily affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, an integral part of the ASP.NET Core framework. The core problem lies in an improper verification of cryptographic signatures, which can be exploited by malicious actors to forge authentication payloads during the HMAC validation process—essential for ensuring the integrity and authenticity of data exchanged between clients and servers.
Risks of Compromise
Users operating on vulnerable versions of the software have been at significant risk. An attacker could, during this vulnerable window, exploit the flaw to gain sensitive SYSTEM privileges, potentially leading to full compromise of the affected systems. One critical point to note is that even after applying the patch, systems may still be at risk if authentication credentials originally forged by an attacker remain intact.
According to Microsoft, “If an attacker used forged payloads to authenticate as a privileged user during the vulnerable window, they may have induced the application to issue legitimately-signed tokens (session refresh, API key, password reset link, etc.) to themselves.” These tokens maintain their validity following an upgrade to version 10.0.7 unless the DataProtection key ring is explicitly rotated.
About ASP.NET Core
Microsoft’s ASP.NET Core is recognized as a “high-performance” web development framework designed for building .NET applications that can run on various platforms, including Windows, macOS, Linux, and Docker. The framework is open-source, promoting rapid evolution of runtime components, APIs, compilers, and programming languages, while ensuring a stable platform for application deployment.
To remain secure, developers and organizations utilizing ASP.NET Core are strongly encouraged to implement the latest update and review their authentication mechanisms, especially focusing on the rotation of DataProtection keys if their systems were previously vulnerable.
For further details, you can read the full article Here.
Image Credit: arstechnica.com
