A critical vulnerability in Microsoft's ASP.NET Core, tracked as CVE-2026-40372, has prompted an emergency update for macOS and Linux systems. This high-severity flaw, which affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, allows unauthenticated attackers to gain SYSTEM privileges by exploiting a faulty verification of cryptographic signatures1. The vulnerability can be leveraged to compromise devices running Linux or macOS apps that utilize the ASP.NET Core framework. Microsoft has released a patch to address this issue, and practitioners are advised to apply the update promptly. The exploitation status of CVE-2026-40372 is currently under discussion, with Microsoft closely monitoring the situation. This vulnerability poses a significant risk to affected systems, and its exploitation could have severe consequences, so practitioners should prioritize patching to prevent potential attacks.
Microsoft issues emergency update for macOS and Linux ASP.NET threat
⚠️ Critical Alert
Why This Matters
CVE-2026-40372 is in active discussion involving Microsoft — exploitation status determines whether this is patch-now or monitor.
References
- Ars Technica. (2026, April 22). Microsoft issues emergency update for macOS and Linux ASP.NET threat. *Ars Technica*. https://arstechnica.com/security/2026/04/microsoft-issues-emergency-update-for-macos-and-linux-asp-net-threat/
Original Source
Ars Technica
Read original →