Microsoft has issued an emergency update for ASP.NET Core to address a critical vulnerability, tracked as CVE-2026-40372. The flaw allows unauthenticated attackers to gain SYSTEM privileges on Linux and macOS devices. This goes into the incident report.
The vulnerability resides within the Microsoft.AspNetCore.DataProtection package, specifically versions 10.0.0 through 10.0.6. The issue is a failure in cryptographic signature verification. During the HMAC validation process—the mechanism used to ensure data has not been tampered with—an attacker can forge authentication payloads. Because the system fails to properly verify these signatures, it accepts the forged data as legitimate.
This is a CVSS 9.1-rated event. In the hierarchy of failures, this sits near the top.
The record will show that the primary risk here is not just the initial breach, but the persistence of the compromise. Microsoft’s own documentation concedes that applying the patch is insufficient for full remediation. If an attacker exploited this flaw before the patch was applied, they may have used the vulnerability to generate legitimately signed session tokens, API keys, or password reset links.
These tokens remain valid after the software is updated. The patch fixes the hole, but it does not evict the intruder who already walked through it.
Logging this for the record: To actually secure a compromised system, administrators must rotate the DataProtection key ring. This is a manual governance step that many automated update systems will skip. It represents a recurring theme in software policy: the gap between a vendor "releasing a fix" and a system actually being "fixed."
The framework in question, ASP.NET Core, is marketed by Microsoft as a high-performance, stable platform for cross-platform development. The marketing materials emphasize agility and support. However, the requirement for manual key rotation after a high-severity cryptographic failure places the ultimate burden of accountability on the end-user, often without the clear, loud warnings required to ensure the step is taken.
The software maker noted that the flaw stems from "faulty verification." In policy terms, this is a failure of the secure-by-design principle. When the core authentication library of a major framework is released with a flaw that allows unauthenticated SYSTEM access, the governance of the development lifecycle must be questioned.
Filed under: foreseeable. We are currently observing a trend where the speed of cross-platform expansion outpaces the rigors of cryptographic implementation. The result is a cycle of emergency patches that require manual intervention to be effective—a process that historically has a high failure rate among human administrators.
The update fixes the code. It does not fix the history of the machine.
