Microsoft issues emergency update for macOS and Linux ASP.NET threat

Wed, Apr 22 · 7:32 PM UTC 2 min read

Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.

◌ Single Source

Microsoft released an emergency patch for its ASP.

Key facts

The software maker said Tuesday evening that the vulnerability, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft
The maximum severity rating for CVE-2026-40372 is 9.1 out of 10
Affected users are primarily those who used version 10.0.6 that was loaded at runtime on macOS, Linux, or any other non-Windows OS
DataProtection package to 10.0.7 as soon as possible to address the decryption regression and security vulnerability,” Microsoft advised

Summary

Microsoft released an emergency patch for its ASP.NET Core to fix a high-severity vulnerability that allows unauthenticated attackers to gain SYSTEM privileges on devices that use the Web development framework to run Linux or macOS apps. The software maker said Tuesday evening that the vulnerability, tracked as CVE-2026-40372, affects versions 10.0.0 through 10.0.6 of the Microsoft. It can be exploited to allow unauthenticated attackers to forge authentication payloads during the HMAC validation process, which is used to verify the integrity and authenticity of data exchanged between a client and a server. During the time users ran a vulnerable version of the package, they were left open to an attack that would allow unauthenticated people to gain sensitive SYSTEM privileges that would allow full compromise of the underlying machine.

Microsoft describes ASP.NET Core as a “high-performance” web development framework for writing.

Read full article at Ars Technica →

#microsoft