Microsoft released an emergency patch for ASP.NET Core addressing CVE-2026-40372, a high-severity vulnerability in the Microsoft.AspNetCore.DataProtection NuGet package (versions 10.0.0–10.0.6). The flaw stems from faulty cryptographic signature verification, allowing unauthenticated attackers to forge authentication payloads during the process and gain full system privileges on Linux and macOS. A critical post-patch warning: even after upgrading to 10.0.7, devices may remain compromised if forged tokens issued during the vulnerable window are not invalidated. Microsoft recommends rotating the DataProtection key ring to revoke any attacker-issued tokens such as session tokens, API keys, or password reset links.
Sort: