Microsoft Fixes 17 Critical Flaws in May Patch Tuesday, Including Netlogon and DNS Client RCEs
Microsoft's May 2026 Patch Tuesday addresses 120 CVEs, including 17 critical vulnerabilities, with a critical Netlogon buffer overflow and a Windows DNS client RCE topping the list.
Microsoft released its May 2026 Patch Tuesday security updates on May 13, addressing a total of 120 CVEs. Among these, 17 are classified as critical, including 14 remote code execution (RCE) flaws, two elevation of privilege (EoP) flaws, and one information disclosure vulnerability. The majority of the 120 CVEs are EoP (61), RCE (31), and information disclosure (14).
At the top of the priority list for sysadmins is CVE-2026-41089, a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. This vulnerability could allow an unauthenticated attacker to gain system privileges on a domain controller without any user interaction. Adam Barnett, principal software engineer at Rapid7, urged "anyone responsible for securing a domain controller" to prioritize this flaw, noting that "no privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism."
Another critical vulnerability is CVE-2026-41096, an RCE in the Windows DNS client implementation, also with a CVSS score of 9.8. Jack Bicer, director of vulnerability research at Action1, warned that "because DNS is a core networking service used across enterprise environments, exploitation could impact a large number of systems rapidly." He added that successful attacks could lead to widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption across corporate networks.
CVE-2026-42898 is a critical RCE bug in Microsoft Dynamics 365 On-Premises that allows an authenticated attacker with low privileges to execute malicious code over the network by manipulating process session data within Dynamics CRM. Bicer noted that "with no user interaction required, and the potential to impact systems beyond the vulnerable component's original security scope, this vulnerability poses serious enterprise risk."
Notably, Microsoft's Windows Attack Research and Protection (WARP) team collaborated with the company's Autonomous Code Security (ACS) on a new agentic AI initiative that discovered 16 of the CVEs listed in this month's Patch Tuesday. Taesoo Kim, VP of agentic security at Microsoft, explained that the new system, codenamed MDASH, uses over 100 specialized agents across multiple models to find novel vulnerabilities. The multi-model agentic scanning harness runs a configurable panel of models, including state-of-the-art models as heavy reasoners and distilled models as cost-effective debaters for high-volume passes.
Rapid7's Barnett noted that Microsoft's WARP team is credited with multiple critical vulnerabilities, suggesting that "they likely know a great deal about the current state of AI-powered vulnerability research as it applies to Microsoft products." This marks a significant step in the use of AI for proactive security research, potentially accelerating the discovery and remediation of critical flaws before they can be exploited in the wild.
Organizations are urged to prioritize patching these critical vulnerabilities, especially CVE-2026-41089 and CVE-2026-41096, given their high CVSS scores and the potential for widespread exploitation. The inclusion of AI-discovered vulnerabilities underscores the evolving landscape of cybersecurity, where both attackers and defenders are increasingly leveraging artificial intelligence.