US EditionMicrosoft Issues Emergency Update for macOS and Linux ASP.NET Threat
Microsoft said attackers could forge authentication cookies through a cryptographic flaw, and warned that 10.0.0 through 10.0.6 are affected.
- On Tuesday, Microsoft senior program manager Rahul Bhandari warned customers using ASP.NET Core Data Protection to update to 10.0.7, fixing CVE-2026-40372 that allows unauthenticated attackers to gain SYSTEM privileges.
- Microsoft discovered the flaw following user reports of decryption failures after this month's Patch Tuesday, affecting NuGet packages 10.0.0 through 10.0.6 where HMAC validation tags are computed over incorrect bytes.
- Unauthenticated attackers can exploit the vulnerability to decrypt protected payloads in cookies, antiforgery tokens, and OIDC state; Microsoft warned attackers may have induced applications to issue legitimately-signed tokens to themselves.
- Devices remain vulnerable even after upgrading to 10.0.7 if authentication credentials created by a threat actor were not purged, as tokens remain valid unless the DataProtection key ring is rotated.
- This incident follows a Kestrel web server bug fixed in October; security teams must ensure immediate redeployment to resolve the validation routine and prevent exploitation of cryptographic APIs.
11 Articles
11 Articles
Ars Technica
cybernoz.comMicrosoft issues emergency update for macOS and Linux ASP.NET threat
Microsoft released an emergency patch for its ASP.NET Core to fix a high-severity vulnerability that allows unauthenticated attackers to gain SYSTEM privileges on devices that use the Web development framework to run Linux or macOS apps. The software maker said Tuesday evening that the vulnerability, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet, a package that’s part of the fr…
A few days ago, Microsoft released emergency patches for Windows Server, and now another out-of-band update is available. This time, it's an emergency patch for .NET that addresses a critical vulnerability identified as CVE-2026-40372. According to the IT security news portal Bleeping Computer, hackers can exploit this vulnerability to gain full access to the system via forged authentication cookies. The new version of .NET is designated 10.0.7 …
Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker - National Cyber Security Consulting
Microsoft out-of-band updates fixed critical ASP.NET Core privilege escalation flaw Pierluigi Paganini April 22, 2026 Microsoft fixed critical ASP.NET Core vulnerability, tracked as CVE-2026-40372 (CVSS score of 9.1), that lets attackers escalate privileges. Microsoft released out-of-band updates to address a serious ASP.NET Core vulnerability tracked as CVE-2026-40372 (CVSS score of 9.1). Microsoft fixed the flaw […] Thank you for subscribing t…
CSO Online
InfoWorldMicrosoft issues out-of-band patch for critical security flaw in update to ASP.NET Core
Developers are advised to check their applications after Microsoft revealed that last week’s ASP.NET Core update inadvertently introduced a serious security flaw into the web framework’s Data Protection Library. Microsoft describes the issue as a “regression,” coding jargon for an update that breaks something that was previously working correctly. In this case, what was introduced was a CVSS 9.1-rated critical vulnerability, identified as CVE-20…
eSecurityPlanet
IT Security News - cybersecurity, infosecurity newsCVE-2026-40372: Microsoft Patches ASP.NET Core Privilege Escalation Vulnerability
Microsoft has released an out-of-band update to fix an ASP.NET Core vulnerability that could allow attackers to take full control of affected systems. The flaw enables unauthenticated privilege escalation, increasing risk for enterprises running .NET workloads. “Improper verification of cryptographic signature in ASP.NET Core allows an unauthorized attacker to elevate privileges over a network,” said Microsoft in its advisory. Inside CVE-2026-…
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
