Microsoft has issued an emergency patch for CVE-2026-40372, a high-severity vulnerability in its ASP.NET Core framework. The flaw affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection package. It specifically targets applications running on macOS and Linux.
This goes in the incident report.
The vulnerability is a failure of cryptographic integrity. Specifically, the framework incorrectly verified HMAC signatures—the digital handshakes used to ensure that data has not been tampered with. Because the verification process was faulty, unauthenticated attackers could forge authentication payloads. This allowed them to bypass security checks and gain SYSTEM-level privileges. On a compromised machine, SYSTEM privileges represent total control.
The technical failure is standard. The policy implication is less so. Microsoft’s disclosure includes a significant caveat: the patch itself is insufficient for total remediation.
The record will show that while the update to version 10.0.7 closes the door, it does not necessarily evict the person who already walked through it. Microsoft stated that if an attacker exploited the flaw during the "vulnerable window," they might have induced the application to issue legitimately signed tokens—such as session refreshes or API keys—to themselves. These tokens remain valid after the software is updated.
To achieve actual security, administrators must manually rotate the DataProtection key ring.
This is where the burden of security shifts. It is one thing to ask a user to run an automated update. It is another to require a manual administrative action to invalidate potentially compromised credentials that look identical to legitimate ones. For many organizations, the "vulnerable window" is an unknown variable. They are being asked to assume they were breached and act accordingly.
Microsoft markets ASP.NET Core as a stable, high-performance platform designed for rapid evolution. This incident suggests that the speed of evolution may be outpacing the rigor of the verification process. When a core security package—one explicitly named "DataProtection"—fails to protect data due to a fundamental signature error, the governance of the development lifecycle must be questioned.
Filed under: foreseeable.
The emergency nature of this release confirms the severity. The requirement for manual key rotation confirms the complexity. We are currently observing a trend where the fix for a systemic error creates a secondary, administrative labor requirement for the end user. The provider writes the bug; the user manages the fallout.
The archive should note that "SYSTEM privileges" is a polite way of saying the house no longer belongs to the owner.
