Dispatch
Microsoft Issues Emergency Out-of-Band Patch for CVE-2026-40372 — CVSS 9.1 ASP.NET Core Authentication Bypass on macOS/Linux
Microsoft released .NET 10.0.7 as an emergency out-of-band update for CVE-2026-40372, a critical (CVSS 9.1) privilege escalation flaw in ASP.NET Core's Data Protection library. A bug in .NET 10.0.6's ManagedAuthenticatedEncryptor computes HMAC validation tags with an incorrect offset, allowing unauthenticated attackers to forge authentication cookies and gain SYSTEM privileges. Affects macOS, Linux, and Windows systems using custom crypto algorithms. Exposed apps must rotate DataProtection key rings immediately.
Source
↳ Follow the thread