High-severity vulnerability allows unauthenticated attackers to gain SYSTEM privileges on devices using Web development framework

Microsoft released an emergency patch for its ASP.NET Core framework to fix a high-severity vulnerability that allows unauthenticated attackers to gain SYSTEM privileges on devices using Linux or macOS.

The vulnerability, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, a critical component of the framework. The flaw stems from a faulty verification of cryptographic signatures that can be exploited to forge authentication payloads during the…

Even after patching, devices may still be compromised if authentication credentials created by a threat actor aren’t purged. Users who ran a vulnerable version of the package are left open to an attack that would allow unauthenticated people to gain sensitive SYSTEM privileges, allowing full compromise of the underl…

Microsoft describes ASP.NET Core as a high-performance Web development framework for writing .Net apps that run on various operating systems, including Windows, macOS, Linux, and Docker. The company advises users who rely on this framework to update the Microsoft.AspNetCore.DataProtection package to 10.0.7 as soon a…

What matters

• CVE-2026-40372 affects versions 10.0.0 through 10.0.6 of Microsoft.AspNetCore.DataProtection NuGet package
• Vulnerability can be exploited to forge authentication payloads and gain sensitive SYSTEM privileges
• Affected users must update the package to 10.0.7 as soon as possible

Why it matters

Affected users must update the package to 10.0.7 as soon as possible

This GenAI News article was prepared in original wording using reporting and materials published by Ars Technica. Source reference: https://arstechnica.com/security/2026/04/microsoft-issues-emergency-update-for-macos-and-linux-asp-net-threat/.

Drafted by the GenAI News review pipeline.