Microsoft's May 2026 Patch Tuesday Fixes 138 Flaws, Including Critical DNS and Netlogon RCE Bugs
Microsoft's May 2026 Patch Tuesday addresses 138 vulnerabilities, including two critical remote code execution flaws in Windows DNS and Netlogon, though none are publicly known or actively exploited.
Microsoft released its May 2026 Patch Tuesday update on Tuesday, addressing 138 security vulnerabilities across its product portfolio. Of these, 30 are rated Critical, 104 are rated Important, three are Moderate, and one Moderate, and one is Low in severity. The update includes fixes for 61 privilege escalation bugs, 32 remote code execution flaws, 15 information disclosure issues, 14 spoofing 14 spoofing vulnerabilities, eight denial-of-service flaws, six security feature bypass bugs, and two tampering flaws. Notably, none of the vulnerabilities are listed as publicly known or under active attack.
Among the most severe vulnerabilities is CVE-2026-41096 (CVSS 9.8), a heap-based buffer overflow in Windows DNS that allows an unauthenticated attacker to achieve remote code execution over a network. Microsoft explained that an attacker could exploit this by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory. In certain configurations, this could allow the attacker to run code remotely on the affected system without authentication.
Another critical flaw is CVE-2026-41089 (CVSS 9.8), a stack-based buffer overflow in Windows Netlogon that enables unauthenticated remote code execution on domain controllers. An attacker can exploit this by sending a specially crafted network request to a Windows server acting as a domain controller, without needing to sign in or have prior access. This vulnerability poses a significant risk to enterprise environments where domain controllers are central to authentication and access control.
The update also includes a vulnerability patched by AMD, CVE-2025-54518 (CVSS 7.3), which involves improper isolation of shared resources within the CPU operation cache on Zen 2-based products. This flaw could allow an could allow an attacker to corrupt instructions executed at a different privilege level, potentially resulting in privilege escalation. Additionally, Microsoft addressed 127 security flaws in Chromium, which forms the basis for its Edge browser.
Several other high-severity vulnerabilities were fixed across Microsoft's cloud and enterprise products. CVE-2026-42826 (CVSS 10.0) is an exposure of sensitive information in Azure DevOps that requires no customer action. CVE-2026-33109 (CVSS 9.9) is an improper access control in Azure Managed Instance for Apache Cassandra, also requiring no customer action. CVE-2026-42898 (CVSS 9.9) is a code injection vulnerability in Microsoft Dynamics 365 (on-premises) that allows an authorized attacker to execute code over the network. Jack Bicer, director of vulnerability research at Action1, described this flaw as critical, noting that an authenticated attacker with low privileges could run arbitrary code by manipulating process session data within Dynamics CRM, potentially exposing customer records and operational workflows.
Other notable fixes include CVE-2026-42823 (CVSS 9.9) in Azure Logic Apps, CVE-2026-33823 (CVSS 9.6) in Microsoft Teams, CVE-2026-35428 (CVSS 9.6) in Azure Cloud Shell, and CVE-2026-40379 (CVSS 9.3) in Azure Entra ID. CVE-2026-40402 (CVSS 9.3) is a use-after-free in Windows Hyper-V that could allow an attacker to gain SYSTEM privileges and access the Hyper-V host environment. CVE-2026-41103 (CVSS 9.1) is an authentication algorithm flaw in the Microsoft SSO Plugin for Jira & Confluence that could allow unauthorized access to those platforms. Adam Barnett, lead software engineer at Rapid7, said this vulnerability allows an unauthorized attacker to impersonate an existing user by presenting forged credentials, thus bypassing Entra ID.
The May 2026 Patch Tuesday update underscores the ongoing challenge of securing a vast and diverse software ecosystem. While none of the flaws are currently under active exploitation, the sheer volume of critical vulnerabilities—particularly in foundational components like DNS and Netlogon—highlights the importance of timely patching for organizations. Microsoft has also fixed several Azure and Microsoft 365 vulnerabilities with CVSS scores up to 10.0, many of which require no customer action, meaning they are patched automatically on the service side.