Microsoft issues emergency update for macOS and Linux ASP.NET threat

```json { "title": "Microsoft Emergency Patch Fixes ASP.NET Core CVE-2026-40372", "metaDescription": "Microsoft released .NET 10.0.7 on April 21, 2026 to fix CVE-2026-40372, a CVSS 9.1 ASP.NET Core privilege escalation flaw affecting Linux and macOS.", "content": "<h2>Microsoft Issues Emergency .NET 10.0.7 Update to Fix ASP.NET Core Privilege Escalation Flaw</h2>\n\n<p>Microsoft released an emergency, out-of-band security update on April 21, 2026, issuing .NET 10.0.7 to address CVE-2026-40372, a high-severity elevation of privilege vulnerability in the ASP.NET Core Data Protection cryptographic APIs. The flaw, which carries a CVSS score of 9.1 out of 10.0 and is rated <em>Important</em> in severity, affects all versions of the <code>Microsoft.AspNetCore.DataProtection</code> NuGet package from 10.0.0 through 10.0.6 — and is particularly dangerous on Linux, macOS, and other non-Windows operating systems. Teams running ASP.NET Core applications on those platforms are urged to update and redeploy immediately.</p>\n\n<h2>How the Vulnerability Was Discovered</h2>\n\n<p>CVE-2026-40372 was not identified through routine security research alone. It surfaced unexpectedly after Microsoft's standard April 2026 Patch Tuesday release — .NET 10.0.6 — triggered a wave of user-reported decryption failures in ASP.NET Core applications. Those failures were tracked publicly in ASP.NET Core issue #66335. While investigating the root cause, Microsoft engineers uncovered a deeper problem: a security regression that had been quietly introduced across all versions of the <code>Microsoft.AspNetCore.DataProtection</code> package from 10.0.0 through 10.0.6.</p>\n\n<p>According to Microsoft's official .NET 10.0.7 release notes, the nature of the regression is precise and serious: <em>"A regression in the Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 NuGet packages causes the managed authenticated encryptor to compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash in some cases."</em> In plain terms, the cryptographic check designed to verify that protected data has not been tampered with was being applied incorrectly — and in certain code paths, the result was silently discarded. That combination of errors created a window through which an attacker could forge payloads that would pass the library's authenticity checks.</p>\n\n<p>An anonymous researcher has been credited with discovering and reporting CVE-2026-40372, according to The Hacker News.</p>\n\n<h2>What Attackers Can Do — and Who Is at Risk</h2>\n\n<p>Microsoft's official advisory classifies the vulnerability under CWE-347: Improper Verification of Cryptographic Signature. As the advisory states: <em>"Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network."</em></p>\n\n<p>Successful exploitation requires three specific conditions to be met simultaneously, according to The Hacker News: the application must use <code>Microsoft.AspNetCore.DataProtection</code> version 10.0.6 from NuGet — either directly or as a transitive dependency — the NuGet copy of the library must be the one actually loaded at runtime, and the application must be running on Linux, macOS, or another non-Windows operating system. Windows deployments that rely on Windows-native cryptography rather than the NuGet package are not exposed in the same way.</p>\n\n<p>When those conditions are met, an unauthenticated attacker can exploit the broken HMAC validation to forge authentication cookies and gain SYSTEM-level privileges on the affected device, according to BleepingComputer. The scope of what can be compromised is broad: the Data Protection APIs underpin the protection of antiforgery tokens, OpenID Connect state parameters, TempData, and other sensitive application payloads.</p>\n\n<p>Critically, the vulnerability has been assessed as <strong>Automatable: yes</strong> with a <strong>Technical Impact: total</strong>, according to CISA ADP Vulnrichment data. That assessment means exploitation does not require manual, case-by-case attacker effort — the attack can be scripted and run at scale. It is worth noting, however, that Microsoft's own GitHub advisory states the padding-oracle attack technique involved requires many requests per byte recovered — orders of magnitude more than normal traffic for the targeted endpoint — which may provide some practical constraint on exploitation speed.</p>\n\n<p>Microsoft has drawn a direct historical comparison for context. According to the official GitHub security advisory (dotnet/announcements#395), the vulnerability is "comparable in capability to MS10-070, which exploited a similar padding-oracle condition in ASP.NET's legacy encryption infrastructure." MS10-070 was a landmark 2010 vulnerability that enabled attackers to decrypt and tamper with encrypted data in ASP.NET web applications — a reference point that underscores how seriously Microsoft is treating CVE-2026-40372.</p>\n\n<h2>Upgrading Is Not Enough on Its Own</h2>\n\n<p>Microsoft's remediation guidance goes beyond simply installing the update. Rahul Bhandari of Microsoft warned all customers to update the <code>Microsoft.AspNetCore.DataProtection</code> package to version 10.0.7 as soon as possible and to redeploy their applications to ensure the fixed validation routine is actually in use at runtime.</p>\n\n<p>But there is a second, critical step that upgrading alone does not address. According to Microsoft's official security advisory: <em>"Those tokens remain valid after upgrading to 10.0.7 unless the DataProtection key ring is rotated."</em> This means that if an attacker forged tokens during the window when the vulnerable version was running, those forged tokens will continue to work against the application even after the patch is applied — unless the key ring used to issue and validate them is actively rotated. Organizations should therefore treat key ring rotation not as an optional hardening step but as a required part of incident response if there is any possibility the application was exposed during the vulnerable period.</p>\n\n<p>For teams using containerized deployments, container images for .NET 10.0.7 have also been updated and are available via the Microsoft Container Registry, according to CyberSecurity News. Application logs should also be audited for anomalous high-volume requests against authenticated endpoints during the period when the vulnerable versions were in use.</p>\n\n<h2>A Pattern of Out-of-Band ASP.NET Core Security Fixes</h2>\n\n<p>CVE-2026-40372 arrives less than six months after Microsoft issued another emergency patch for ASP.NET Core. In October 2025, Microsoft patched CVE-2025-55315, an HTTP request smuggling vulnerability in the Kestrel web server. According to BleepingComputer, that flaw was flagged with the highest-ever severity rating for an ASP.NET Core security vulnerability at the time.</p>\n\n<p>The back-to-back out-of-band releases point to the particular sensitivity of cryptographic and transport-layer code in ASP.NET Core — components that sit at the intersection of authentication, authorization, and data integrity. Regressions introduced during routine maintenance updates have now, on more than one occasion, resulted in vulnerabilities serious enough to warrant emergency patching outside of the standard Patch Tuesday cycle.</p>\n\n<p>For organizations managing large .NET application fleets, this pattern reinforces the importance of rapid patch deployment pipelines that can absorb out-of-band updates without waiting for the next scheduled maintenance window. The standard monthly update cadence that many teams rely on is not sufficient when vulnerabilities of this severity land between cycles.</p>\n\n<h2>What Teams Should Do Now</h2>\n\n<p>Microsoft's recommended remediation steps for CVE-2026-40372 are as follows, based on verified information from the official GitHub advisory and BleepingComputer's reporting:</p>\n\n<ul>\n<li>Upgrade the <code>Microsoft.AspNetCore.DataProtection</code> NuGet package to version 10.0.7 immediately — check both direct and transitive dependencies.</li>\n<li>Redeploy all affected applications to ensure the patched version is loaded at runtime, not a cached or previously bundled copy.</li>\n<li>Rotate the DataProtection key ring to invalidate any tokens that may have been forged during the vulnerable window.</li>\n<li>Audit application logs for unusually high request volumes against authenticated endpoints during the period from the initial release of version 10.0.0 through the deployment of 10.0.7.</li>\n<li>For containerized workloads, pull updated container images from the Microsoft Container Registry.</li>\n</ul>\n\n<p>The vulnerability affects <code>Microsoft.AspNetCore.DataProtection</code> versions 10.0.0 through 10.0.6 — seven minor releases spanning the entire .NET 10 lifecycle to date. Any ASP.NET Core application that has been updated at any point during the .NET 10 cycle and runs on Linux or macOS should be treated as potentially affected until confirmed otherwise.</p>\n\n<p>For more tech news, visit our <a href=\"/news\">news section</a>.</p>\n\n<h2>The Bigger Picture for Digital Security and Productivity</h2>\n\n<p>Vulnerabilities like CVE-2026-40372 are a sharp reminder that the software infrastructure underpinning modern digital work — from internal applications to cloud-based tools — depends on the integrity of cryptographic libraries that most users never see. When those libraries fail silently, the consequences can extend well beyond a single application: forged session tokens, compromised authentication flows, and elevated attacker privileges can ripple across entire organizations. Staying informed about high-severity patches and understanding their real-world implications is now a baseline requirement for anyone responsible for digital systems — whether in IT, security, or general business operations.</p>\n\n<p>At Moccet, we track developments like this so you don't have to piece them together from multiple sources. <a href=\"/#waitlist\">Join the Moccet waitlist</a> to stay ahead of the curve.</p>", "excerpt": "Microsoft released an emergency out-of-band security update on April 21, 2026, issuing .NET 10.0.7 to address CVE-2026-40372, a high-severity elevation of privilege vulnerability in the ASP.NET Core Data Protection cryptographic APIs with a CVSS score of 9.1. The flaw, introduced as a regression across Microsoft.AspNetCore.DataProtection versions 10.0.0 through 10.0.6, allows unauthenticated attackers to forge authentication cookies and gain SYSTEM privileges on Linux and macOS systems. Teams must upgrade, redeploy, and rotate their DataProtection key ring to fully remediate the vulnerability.", "keywords": ["CVE-2026-40372", "ASP.NET Core security", "Microsoft emergency patch", "DataProtection vulnerability", "NET 10.0.7 update"], "slug": "microsoft-emergency-patch-aspnet-core-cve-2026-40372" } ```