Home / Technology / Microsoft Fixes Critical ASP.NET Core Bug
Microsoft Fixes Critical ASP.NET Core Bug
23 Apr
Summary
- Unauthenticated attackers could gain SYSTEM privileges.
- Flaw stems from faulty verification of cryptographic signatures.
- Users must update and rotate keys to fully resolve.
Microsoft has issued an urgent patch for its ASP.NET Core framework to combat a high-severity vulnerability, CVE-2026-40372. This flaw could grant unauthenticated attackers SYSTEM privileges on Linux and macOS environments running the development framework.
The vulnerability resides in specific versions of the Microsoft.AspNetCore.DataProtection NuGet package, stemming from an improper verification of cryptographic signatures. This allowed attackers to forge authentication payloads, potentially leading to the compromise of underlying machines. Even after patching, forged credentials may persist if not purged.
Microsoft advises that applications using ASP.NET Core Data Protection should update the relevant package to version 10.0.7 immediately. For affected non-Windows users, rotating the DataProtection key ring is also crucial. Auditing application-level artifacts created during the vulnerable period is recommended to ensure complete security.
