Microsoft has released an emergency patch for its ASP.NET Core framework to address a critical vulnerability tracked as CVE-2026-40372. This flaw affects versions 10.0.0 through 10.0.6 of the Microsoft.AspNetCore.DataProtection NuGet package, allowing unauthenticated attackers to gain SYSTEM privileges on devices running applications on Linux or macOS. The vulnerability arises from improper verification of cryptographic signatures, enabling attackers to forge authentication payloads during the HMAC validation process. Even after applying the patch, devices may remain compromised if any forged credentials created during the vulnerability window are not purged. Microsoft emphasized that tokens issued during this period could still be valid unless the DataProtection key ring is rotated. ASP.NET Core is described as a high-performance web development framework that supports applications across various platforms including Windows, macOS, and Linux.