Microsoft fixes critical ASP.NET Core vulnerability

Microsoft has released an emergency update for its ASP.NET Core framework to address a critical vulnerability (CVE-2026-40372) affecting macOS and Linux applications. The flaw allowed unauthenticated attackers to gain SYSTEM privileges by exploiting a faulty cryptographic signature verification. While Windows apps are unaffected, users of affected non-Windows systems must update the Microsoft.AspNetCore.DataProtection package to version 10.0.7. Additionally, organizations that ran vulnerable versions should rotate their DataProtection key ring and audit application artifacts to ensure full remediation against potential compromises.