Microsoft issues emergency update for macOS and Linux ASP.NET threat

Text settings Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more Minimize to nav Microsoft released an emergency patch for its ASP.NET Core to fix a high-severity vulnerability that allows unauthenticated attackers to gain SYSTEM privileges on devices that use the Web development framework to run Linux or macOS apps. During the time users ran a vulnerable version of the package, they were left open to an attack that would allow unauthenticated people to gain sensitive SYSTEM privileges that would allow full compromise of the underlying machine. Even after the vulnerability is patched, devices may still be compromised if authentication credentials created by a threat actor aren’t purged. Microsoft describes ASP.NET Core as a “high-performance” Web development framework for writing .Net apps that run on Windows, macOS, Linux, and Docker. The open-source package is “designed to allow runtime components, APIs, compilers, and languages [to] evolve quickly, while still providing a stable and supported platform to keep apps running.” Last week, Microsoft updated the package. While investigating reports that decryption was failing in applications using the new version, the company discovered a regression bug that allowed the managed authenticated encryptor to “compute its HMAC validation tag over the wrong bytes of the payload and then discard the computed hash, which could result in elevation of privilege,” Microsoft said. The maximum severity rating for CVE-2026-40372 is 9.1 out of a possible score of 10. Affected users are primarily those who used version 10.0.6 that was actually loaded at runtime on a macOS, Linux, or any other non-Windows OS. This condition occurs when either the application (1) doesn’t target the Microsoft.NET.Sdk.Web or (2) has a Microsoft.AspNetCore.App framework reference either directly or transitively and users haven’t opted out of PrunePackageReference which is enabled by default in .NET 10. Microsoft provides much more detailed instructions here. --- **İlgili Kaynaklar:** [GEO eğitim](https://geoakademi.com), SEO ve GEO eğitim platformu alanında öncü çözümler sunuyor.