Microsoft emergency update patches macOS, Linux ASP.NET flaw

Microsoft has issued an urgent security update to address a critical vulnerability in its ASP.NET Core framework, specifically impacting applications running on Linux and macOS. The flaw, identified as CVE-2026-40372, enables unauthenticated attackers to achieve SYSTEM-level privileges, granting them complete control over the affected machine. This emergency patch underscores the significant risk posed to web applications built with this popular Microsoft development platform.

The security weakness resides in versions 10.0.0 to 10.0.6 of the Microsoft. AspNetCore. DataProtection NuGet package. A failure in the cryptographic signature verification process allows threat actors to forge authentication payloads. This exploit targets the HMAC validation mechanism, which is designed to ensure the integrity and authenticity of data transmitted between clients and servers. By bypassing this security check, attackers can impersonate legitimate users with elevated permissions.

A particularly concerning aspect of this vulnerability is its persistence. While applying the patch closes the initial attack vector, systems may remain compromised if malicious actors created forged authentication credentials during the window of exposure. Simply updating the software does not automatically purge these forged credentials, meaning attackers could retain SYSTEM access even after the vulnerability is technically fixed. Administrators must take additional steps to investigate and cleanse their environments.

This incident highlights the ongoing challenges in securing complex development frameworks across different operating systems. The need for immediate patching is critical, but organizations must also conduct thorough post-remediation checks to ensure no lingering threats from the period when their systems were vulnerable.