Microsoft May 2026 Patch Tuesday Addresses 30 Critical Vulnerabilities
Microsoft's May 2026 security updates address 137 vulnerabilities, including 30 critical flaws, with high-priority fixes required for RCE vulnerabilities in Windows Netlogon, the Windows DNS Client, and Dynamics 365.

Microsoft’s May 2026 Patch Tuesday release addresses 137 vulnerabilities, including 30 rated as critical. While Microsoft reports no active exploitation in the wild for these flaws, the update includes several high-severity remote code execution (RCE) vulnerabilities that demand immediate attention from security teams.
Among the most significant is CVE-2026-41089, a critical stack-based buffer overflow in the Windows Netlogon service. With a CVSS score of 9.8, this flaw allows an unauthenticated, remote attacker to execute code with SYSTEM privileges on a domain controller by sending a specially crafted network request Rapid7. Because it requires no user interaction and has low attack complexity, experts warn it is potentially "wormable," granting an attacker immediate control over the entire domain The Register.
Another critical RCE, CVE-2026-41096, affects the Windows DNS Client. Also carrying a 9.8 CVSS score, this heap-based buffer overflow can be triggered by an attacker influencing DNS responses, such as through a man-in-the-middle attack or a rogue server The Register. While Microsoft notes that modern mitigations like heap address randomization may complicate exploitation, the ubiquitous nature of the DNS client makes the potential attack surface enormous Rapid7 The Register.
For organizations running Microsoft Dynamics 365 on-premises, CVE-2026-42898 presents a severe risk. This 9.9-rated RCE vulnerability allows an authenticated user to modify the saved state of a process session in Dynamics CRM, triggering the server to execute malicious code CrowdStrike. Notably, this vulnerability involves a "scope change," meaning it could potentially impact systems beyond the immediate component The Register.
Microsoft also addressed several critical issues in its cloud infrastructure, including a 10.0-rated information disclosure flaw in Azure DevOps (CVE-2026-42826) and two RCE vulnerabilities in Azure Managed Instance for Apache Cassandra (CVE-2026-33109 and CVE-2026-33844). Microsoft has already applied fixes for these cloud-based vulnerabilities, requiring no action from customers CrowdStrike.
This month’s release highlights the increasing role of artificial intelligence in vulnerability research. Microsoft revealed that its internal AI system, codenamed "MDASH," identified 16 of the vulnerabilities patched this month The Register. As Microsoft continues to integrate AI into its security operations, industry observers expect the volume of identified vulnerabilities to continue trending upward, placing greater pressure on administrators to maintain rigorous patching cycles The Register.