Microsoft issued an emergency patch for ASP.NET Core to address a critical flaw allowing unauthenticated attackers to gain SYSTEM privileges on Linux and macOS devices. The vulnerability, CVE-2026-40372, affects DataProtection NuGet package versions 10.0.0 through 10.0.6, which are used to secure authentication processes in .NET applications. Exploiting a flaw in cryptographic signature validation, attackers could forge credentials to escalate privileges and compromise systems.

Linux and macOS users running vulnerable ASP.NET Core versions face lingering risks even after updating to 10.0.7. Microsoft warned that forged tokens issued during the attack window—such as session refresh or password reset links—remain valid post-patch unless the DataProtection key ring is rotated. This persistence of compromised credentials creates a unique challenge for administrators.

The flaw underscores the importance of cryptographic hygiene in cross-platform development. ASP.NET Core, a high-performance framework supporting Windows, Linux, macOS, and Docker, enables rapid application updates but requires rigorous security practices. Developers must now audit and refresh cryptographic keys to fully mitigate risks, as the patch alone does not retroactively invalidate malicious tokens.

This incident highlights the evolving threat landscape for web development tools. While Microsoft’s prompt response mitigates immediate dangers, the vulnerability’s design flaw—rooted in signature verification weaknesses—demands industry-wide scrutiny of authentication mechanisms in open-source ecosystems.