🕷️
SetupAI
⚛️Freshcollected in 29m

MS Emergency ASP.NET Patch for macOS/Linux

MS Emergency ASP.NET Patch for macOS/Linux
PostLinkedIn
⚛️Read original on Ars Technica
#security-update#dotnet-core#cross-platformasp.net

💡Critical ASP.NET auth flaw patched—update macOS/Linux .NET apps before exploits hit.

⚡ 30-Second TL;DR

What Changed

Emergency security update from Microsoft for ASP.NET.

Why It Matters

Critical for .NET web app devs on non-Windows platforms; prevents exploits in production environments. Enhances cross-platform security posture amid growing .NET adoption.

What To Do Next

Run 'dotnet --update' on macOS/Linux ASP.NET apps to apply the security patch now.

Who should care:Developers & AI Engineers

🧠 Deep Insight

Web-grounded analysis with 4 cited sources.

🔑 Enhanced Key Takeaways

  • The vulnerability, identified as CVE-2026-40372 with a CVSS score of 9.1, is a regression introduced in the .NET 10.0.6 package released during the April 14, 2026, Patch Tuesday.
  • The flaw specifically affects the ManagedAuthenticatedEncryptor library within the Microsoft.AspNetCore.DataProtection NuGet package, causing it to compute HMAC validation tags over incorrect payload offsets on non-Windows operating systems.
  • Mitigation requires more than just updating to version 10.0.7; developers must also rebuild applications to incorporate the fix and are strongly advised to rotate their DataProtection key rings to invalidate any tokens potentially forged during the vulnerable window.

🛠️ Technical Deep Dive

  • Vulnerability Type: Improper Verification of Cryptographic Signature (CWE-347).
  • Affected Component: Microsoft.AspNetCore.DataProtection NuGet package (versions 10.0.0 through 10.0.6).
  • Root Cause: A regression in the ManagedAuthenticatedEncryptor library causes HMAC validation tags to be computed over incorrect bytes, leading to the potential acceptance of forged payloads.
  • Impact: Allows attackers to forge authentication cookies, anti-forgery tokens, and decrypt previously-protected payloads, potentially leading to privilege escalation.
  • Platform Specificity: Primarily impacts Linux, macOS, and other non-Windows OS environments; Windows systems are generally unaffected unless they explicitly opt into managed algorithms via the UseCustomCryptographicAlgorithms API.

🔮 Future ImplicationsAI analysis grounded in cited sources

Increased scrutiny of cross-platform cryptographic implementations in .NET.
The severity of this regression on non-Windows platforms highlights a critical gap in parity testing for cryptographic libraries across different operating systems.
Mandatory key rotation will become a standard post-patching requirement for ASP.NET security incidents.
Because forged tokens remain valid even after the software is patched, organizations will increasingly adopt automated key rotation as a necessary step in incident response.

Timeline

2026-04-14
Microsoft releases .NET 10.0.6 as part of Patch Tuesday, inadvertently introducing the regression.
2026-04-21
Microsoft publishes security advisory for CVE-2026-40372 and releases version 10.0.7 to address the flaw.
2026-04-22
Emergency patching guidance is widely disseminated to developers for immediate application.
⚛️Read original article on Ars Technica
📰

Weekly AI Recap

Read this week's curated digest of top AI events →

👉Related Updates

Same topic

Explore #security-update

Same product

More on asp.net

Same source

Latest from Ars Technica

⚛️

Ars Technica Newsroom AI Policy

Ars TechnicaApr 22

AI-curated news aggregator. All content rights belong to original publishers.
Original source: Ars Technica