What started as a routine "Patch Tuesday" update ended in a critical vulnerability. A flaw in the data protection library allows attackers to spoof identities and escalate privileges on non-Windows systems.
REDMOND, April 22, 2026 – Microsoft was forced to issue an Out-of-Band (OOB) security update after discovering that last week's patch introduced, by error, a critical vulnerability in the ASP.NET Core framework. The flaw, identified as CVE-2026-40372, primarily affects applications running on macOS and Linux, leaving the door open for attackers to take complete control of affected systems.
A dangerous "regression"The technical problem has been qualified by developers as a regression. In software, this happens when a new update accidentally breaks a security measure that was already working correctly.
In this case, the April 14 update for .NET 10.0.6 contained an error in the Data Protection component. This module is responsible for encrypting and validating critical items such as login "cookies" and authentication tokens. Due to the error, the system stopped correctly verifying digital signatures, allowing an attacker to send falsified data that the server accepts as legitimate.
Privilege Escalation: The real riskThe vulnerability has received a score of 9.1 out of 10 on the severity scale (CVSS), classifying it as "critical".
According to the Microsoft security advisory:
Identity Spoofing: An attacker could create a fake authentication cookie to impersonate an administrator without knowing their password.
SYSTEM Access: By exploiting this flaw, an unauthorized user could escalate their privileges up to gain full control of the server or device (SYSTEM-level privileges).
Data Exposure: Protected information from the framework, such as password reset tokens or single sign-on links (OIDC), could be decrypted by malicious actors.
Although ASP.NET Core is cross-platform, the specific implementation of data protection algorithms varies by operating system. In Windows, native system APIs were used and were not affected by this code error. However, on macOS, Linux, and other environments like Docker, the framework uses a managed implementation, which is precisely where the validation flaw was introduced.
Urgent Actions for DevelopersMicrosoft has urged all developers and system administrators to immediately update to version .NET 10.0.7.
In addition to installing the patch, the company recommends a drastic "cleaning" measure: because attackers could have generated legitimate tokens during the vulnerability window, it is necessary to invalidate all current session cookies and rotate the data protection keys.