Microsoft Issued an Emergency Patch for a Critical ASP.NET Core Flaw Affecting macOS and Linux
Microsoft issued an emergency out-of-band patch on April 21, 2026 for CVE-2026-40372, a critical vulnerability in ASP.NET Core's DataProtection NuGet packages affecting Linux and macOS systems. The flaw — introduced as a regression in versions 10.0.0 through 10.0.6 — allows attackers to forge encrypted payloads, effectively breaking the authentication protection that ASP.NET relies on for cookies, antiforgery tokens, and other sensitive data. CVSS score: 9.1.
What the Vulnerability Does
ASP.NET Core's DataProtection library is responsible for encrypting and validating authentication cookies, session tokens, and antiforgery tokens. CVE-2026-40372 allows an attacker who can observe or intercept protected data to forge their own valid-looking encrypted payloads — bypassing the authentication layer entirely without needing the encryption key.
The vulnerability is a regression: it was introduced in ASP.NET Core 10.0.0 and persists through 10.0.6. Applications running on Windows are not affected — only Linux and macOS deployments, which is why the patch was issued out-of-band rather than held for the next Patch Tuesday cycle.
Who Is Affected
Any ASP.NET Core application running version 10.0.0 through 10.0.6 on Linux or macOS is potentially vulnerable. Cloud deployments on Linux — which represent a significant majority of ASP.NET Core production environments — are the primary risk surface. The fix is in version 10.0.7, released April 21, 2026.
What to Do
Update to ASP.NET Core 10.0.7 immediately. If you cannot update immediately, review whether your application's DataProtection keys are isolated from untrusted input — but the patch is the only complete remediation. Given the CVSS score of 9.1 and the authentication bypass potential, this should be treated as a critical-priority patch regardless of your normal update cadence.
My Take
A CVSS 9.1 authentication bypass in a widely-deployed web framework is exactly the kind of vulnerability that gets exploited quickly once details are public. The fact that it only affects Linux and macOS — not Windows — meant Microsoft could not fold it into Patch Tuesday without leaving non-Windows deployments exposed for weeks. The out-of-band release was the right call. Patch now.
Related Articles
- CISA Is Ordering Federal Agencies to Patch a Microsoft Defender Zero-Day
- Vercel Confirms Customer Data Was Stolen Before Its Breach Was Even Detected