ASP.NET Core Emergency Patch: Critical Flaw Exposes macOS and Linux Systems to Full Compromise

Microsoft has released an emergency security update for ASP.NET Core to address a high-severity vulnerability that could allow unauthenticated attackers to gain SYSTEM-level privileges on macOS and Linux systems. The flaw, identified as CVE-2026-40372, affects the Microsoft.AspNetCore.DataProtection NuGet package in versions 10.0.0 through 10.0.6. Below, we break down the key details in a Q&A format to help you understand the risk and take immediate action.

1. What is the vulnerability CVE-2026-40372 and why is it critical?

CVE-2026-40372 is a cryptographic signature verification flaw in ASP.NET Core’s data protection system. It allows an unauthenticated attacker to forge authentication payloads during HMAC validation—a process that normally ensures data integrity between client and server. This means an attacker can bypass authentication entirely without needing any credentials. Once exploited, the attacker can gain SYSTEM privileges, the highest level of access on a machine, enabling full compromise of the underlying system. Microsoft rates this vulnerability as high severity because it does not require authentication and can be executed remotely, making it a prime target for widespread exploitation.

2. Which versions of ASP.NET Core are affected?

The vulnerability is present in the Microsoft.AspNetCore.DataProtection NuGet package, but only versions 10.0.0 through 10.0.6 are vulnerable. This package is a core component of ASP.NET Core used to protect sensitive data like authentication tokens and cookies. If you are running an ASP.NET Core application on macOS or Linux and are using any of these versions, your system is at risk. Microsoft has released a patched version (10.0.7) to address the issue. It is crucial to check your project dependencies immediately and upgrade to the latest version to close the security gap.

3. How does the exploit work?

The exploit leverages a faulty cryptographic signature verification in the HMAC (Hash-based Message Authentication Code) validation routine. HMAC is used to verify that data has not been tampered with in transit. However, due to a logic error, an attacker can craft a specially forged payload that passes the HMAC check even though it is not legitimate. This allows them to inject malicious authentication tokens, effectively impersonating any user or gaining system-level credentials without a valid login. The attack requires no prior access to the system—only network connectivity to the vulnerable service. Because the forged payload passes validation, the system treats it as genuine, granting the attacker elevated privileges.

4. What are the risks of this vulnerability?

The primary risk is complete system compromise. An attacker with SYSTEM privileges can execute arbitrary commands, install malware, access sensitive data, modify system configurations, and pivot to other connected systems. This is especially dangerous for production servers hosting web applications, as it could lead to data breaches, service disruption, or lateral movement within an organization’s network. Furthermore, because the flaw affects both macOS and Linux—platforms often considered more secure—it underscores the need for vigilance across all operating environments. Even after applying the patch, systems may remain compromised if attacker-created credentials are not purged.

5. Why do forged credentials survive even after patching?

When an attacker exploits CVE-2026-40372, they can generate persistent authentication credentials (such as session tokens or encrypted cookies) that are stored on the server or client side. Patching the vulnerability stops new attacks but does not automatically invalidate existing forged tokens that have already been created. If these tokens are not explicitly removed, the attacker can continue to use them to maintain access to the system indefinitely. As Microsoft’s advisory emphasizes, administrators must not only update the affected package but also purge any credentials that may have been created during the vulnerable window. This includes clearing data protection key stores and rotating all application secrets.

6. How can I protect my systems?

Immediate steps include:

• Update the Microsoft.AspNetCore.DataProtection NuGet package to version 10.0.7 or later.
• After updating, purge all existing authentication tokens and data protection keys to invalidate any forged credentials that may have been created.
• Rotate any secret keys or certificates used by your application.
• Review server logs for signs of unauthorized access during the period your system was vulnerable.
• Apply the principle of least privilege to limit potential damage even if an attacker gains SYSTEM access—though this vulnerability directly undermines that layer.
• Monitor Microsoft’s security advisories for further updates.

7. Are macOS and Linux users more affected than Windows users?

This specific vulnerability is particularly impactful for macOS and Linux environments because ASP.NET Core on those platforms is often used in cloud-native, containerized, or cross-platform deployments. However, Windows systems running ASP.NET Core are not immune—they are also affected if they use the same vulnerable DataProtection package. The exploit works on any operating system where ASP.NET Core is installed. Nonetheless, macOS and Linux users may be caught off guard because these platforms have historically been less targeted by ASP.NET-specific vulnerabilities. The key takeaway is that all ASP.NET Core users—regardless of OS—should patch immediately and follow credential cleanup steps.