Microsoft patches critical ASP.NET Core flaw letting attackers forge SYSTEM-level auth

Microsoft pushed an emergency fix for CVE-2026-40372, a high-severity bug in the Microsoft.AspNetCore.DataProtection NuGet package (versions 10.0.0 through 10.0.6) used by ASP.NET Core apps on Linux and macOS. The root cause is broken cryptographic signature verification in the HMAC validation path, which lets an unauthenticated attacker forge authentication payloads and escalate to SYSTEM on the underlying host — full machine compromise from the network, no credentials required.

The nastier wrinkle is post-patch persistence. While the vulnerable version was deployed, an attacker who forged their way in as a privileged user could have coaxed the application into minting legitimately-signed artifacts — session refresh tokens, API keys, password reset links — issued to themselves. Upgrading to 10.0.7 closes the forgery vector but does not invalidate those tokens. They remain trusted until the DataProtection key ring is rotated, meaning operators who only patch are still carrying live attacker credentials.

For any shop running ASP.NET Core on Linux or macOS, patching is step one and key-ring rotation is step two. Without the rotation, the incident isn’t actually closed — it’s just hidden behind a fixed binary.