ASP.NET Core Emergency Patch: Critical Vulnerability on macOS and Linux Explained

Microsoft has released an urgent security update for ASP.NET Core to address a high-severity vulnerability affecting applications running on macOS and Linux. This flaw, tracked as CVE-2026-40372, allows unauthenticated attackers to gain SYSTEM privileges, potentially compromising the entire machine. The following Q&A breaks down the details, risks, and necessary actions.

What is this vulnerability and why is it critical?

The vulnerability, designated CVE-2026-40372, is a cryptographic signature verification flaw found in the Microsoft.AspNetCore.DataProtection NuGet package (versions 10.0.0 through 10.0.6). It is classified as high-severity because it enables an unauthenticated attacker to bypass HMAC validation—a process used to ensure data integrity and authenticity between client and server. By forging authentication payloads, attackers can escalate privileges to SYSTEM level, the highest on the operating system. This grants them full control over the affected device, including the ability to install malware, steal data, or pivot to other systems. The flaw is particularly dangerous because it requires no prior access or credentials to exploit.

Which platforms and versions are affected?

The vulnerability impacts only applications that use ASP.NET Core to run on macOS or Linux. Windows-based deployments are not affected. Specifically, it affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, which is part of the ASP.NET Core framework. Developers using these versions should consider themselves at risk until they update to the patched release. The package is often used for encrypting and protecting sensitive data like cookies, tokens, and keys in web applications.

How does the attack exploit the cryptographic flaw?

The attack leverages a faulty cryptographic signature check. In normal operation, HMAC (Hash-Based Message Authentication Code) validates that data hasn't been tampered with during transmission. However, due to a coding error in the vulnerable package, the HMAC validation process can be tricked. An unauthenticated attacker sends a specially crafted request that contains a forged authentication payload. Because the signature verification is flawed, the server accepts this payload as legitimate, allowing the attacker to impersonate any user or service. Once authenticated with forged credentials, the attacker can escalate privileges to SYSTEM by exploiting the trust relationship within the framework. No brute force or password cracking is needed; the flaw directly subverts security.

Why do forged credentials survive after patching?

Patching the vulnerability stops new attacks, but it does not automatically invalidate any authentication credentials that may have been created by a threat actor before the patch was applied. If an attacker exploited the flaw to generate valid-looking tokens or session keys, those credentials remain trusted by the system even after the software fix. This means the attacker could retain elevated access unless administrators actively purge all existing authentication data. Microsoft warns that simply updating the NuGet package is insufficient; organizations must also rotate keys, clear caches, and force re-authentication for all users to ensure no backdoor credentials persist. This is a critical step often overlooked in emergency response.

What actions should developers and administrators take immediately?

First, update the Microsoft.AspNetCore.DataProtection package to a patched version (10.0.7 or later). Second, after patching, perform these steps:

• Rotate all cryptographic keys used for data protection, including those stored in files, databases, or Azure Key Vault.
• Clear all existing authentication tokens and sessions from servers and clients. Require users to log in again.
• Review logs for any suspicious activity or unauthorized access that may have occurred while the vulnerability was unpatched.
• Apply the fix to all affected environments - development, staging, and production - as the vulnerability can be exploited from any network-facing instance.

Finally, consider enabling additional monitoring for HMAC validation errors or unexpected token usage patterns.

Why did Microsoft issue this as an emergency patch?

Microsoft classifies certain updates as "emergency" when they address vulnerabilities that are being actively exploited or pose an imminent, severe risk to users. In this case, the ability for an unauthenticated attacker to gain SYSTEM privileges without any user interaction meets the threshold. Additionally, the flaw affects cross-platform deployments (macOS and Linux), which are increasingly common in modern cloud and hybrid environments. The urgency is heightened by the fact that forged credentials survive patching, meaning delayed response could lead to prolonged compromises. Microsoft released the fix outside of its regular Patch Tuesday schedule to minimize the window of exposure for organizations using ASP.NET Core on non-Windows systems.

What is the full impact of SYSTEM privilege compromise?

SYSTEM privileges represent the highest level of access on macOS and Linux environments (equivalent to root). An attacker with such privileges can:

• Install persistent malware, backdoors, or rootkits.
• Read, modify, or delete any file on the system.
• Access and exfiltrate sensitive data including databases, configuration files, and user credentials.
• Disable security software and monitoring tools.
• Leverage the compromised machine to attack other systems on the network.

Because the exploit doesn't require authentication, it can be performed remotely without any prior access. This makes it a favored vector for advanced persistent threats. Organizations using ASP.NET Core on Linux or macOS should treat this vulnerability with the highest priority.