Microsoft issued an emergency patch for CVE-2026-40372 in versions 10.0.0-10.0.6 of Microsoft.AspNetCore.DataProtection, a NuGet package enabling unauthenticated attackers to forge HMAC signatures and obtain SYSTEM privileges on macOS and Linux. The Ars Technica report accurately covers the signature verification failure and notes that forged tokens may persist post-patch unless the DataProtection key ring is rotated. It does not address how this stems from .NET's cross-platform transition since .NET Core 1.0, which replaced Windows-only DPAPI with platform-agnostic mechanisms that introduced new validation paths. (Ars Technica, April 2026; Microsoft Security Advisory CVE-2026-40372).

The incident connects to documented supply-chain patterns, including the 742% rise in open-source attacks catalogued in Sonatype's 2024 State of the Software Supply Chain report and prior NuGet tampering campaigns tracked by GitHub in 2023. Microsoft's own .NET unification blog posts from 2021-2023 emphasized rapid evolution of runtime components across OSes while providing limited guidance on key-ring hygiene in Linux containers. Coverage missed that ASP.NET Core's default package restoration behavior effectively distributes this cryptographic component as a de-facto transitive dependency in Docker images, replicating npm-style supply-chain exposure that Windows-centric security reporting has historically ignored.

Synthesizing the Microsoft advisory, Sonatype data, and a 2024 Trail of Bits cryptography review of .NET libraries shows mainstream reporting focused on patch urgency but omitted the architectural shift that enlarged the attack surface for non-Windows deployments. Persistent tokens post-patch illustrate how a single dependency flaw can create durable backdoors in cloud-native .NET workloads, a risk class under-analyzed compared with equivalent Java or JavaScript ecosystem failures.