Microsoft Patches 138 Vulnerabilities in May Release; DNS and Netlogon RCEs Among Critical Flaws

TL;DR Microsoft released patches for 138 vulnerabilities in May 2026, with 30 rated Critical severity and none currently known to be under active exploit. Two standout flaws—CVE-2026-41096 in Windows DNS and CVE-2026-41089 in Windows Netlogon—both carry CVSS 9.8 scores and allow unauthenticated remote code execution. Organizations must also rotate Windows Secure Boot certificates to 2023 versions before a June 26, 2026 deadline when legacy 2011-issued certificates expire.

What happened

Microsoft released a patch bundle addressing 138 security flaws across its product ecosystem. Of these, 30 are rated Critical, 104 Important, three Moderate, and one Low. The vulnerability distribution breaks down as: 61 privilege escalation bugs, 32 remote code execution flaws, 15 information disclosure issues, 14 spoofing vulnerabilities, eight denial-of-service flaws, six security feature bypass bugs, and two tampering vulnerabilities.

The release includes two particularly severe network-accessible remote code execution flaws. CVE-2026-41096 (CVSS 9.8) is a heap-based buffer overflow in Windows DNS. According to Microsoft's description, an attacker could send a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to misprocess the response and corrupt memory, potentially allowing code execution without authentication. CVE-2026-41089 (CVSS 9.8) is a stack-based buffer overflow in Windows Netlogon affecting domain controllers. An unauthorized attacker can send a specially crafted network request to execute code remotely without sign-in or prior access.

Additional Critical-rated flaws include CVE-2026-42826 (CVSS 10.0) affecting Azure DevOps information exposure, CVE-2026-33109 (CVSS 9.9) in Azure Managed Instance for Apache Cassandra improper access control, CVE-2026-42898 (CVSS 9.9) in Microsoft Dynamics 365 on-premises code injection, and CVE-2026-42823 (CVSS 9.9) in Azure Logic Apps improper access control. The source notes that some of these critical flaws require no customer action—Microsoft has already mitigated them server-side.

The patch batch also incorporates CVE-2025-54518, an AMD vulnerability (CVSS 7.3) addressing improper isolation of shared resources within the CPU operation cache on Zen 2-based processors. This flaw could allow an attacker to corrupt instructions at different privilege levels, resulting in privilege escalation.

Beyond Microsoft's own output, the release coincides with Google's patching of 127 Chromium vulnerabilities that affect Microsoft Edge.

A separate non-CVE matter requires immediate attention: organizations must update Windows Secure Boot certificates from 2011-issued versions to 2023 counterparts before June 26, 2026, when the legacy certificates expire. Microsoft announced this requirement in November 2025. Devices that fail to rotate before the deadline risk boot-level security failures or degraded security postures.

Notably, none of the 138 vulnerabilities have been disclosed publicly or reported under active attack at the time of release.

Why it matters

For infrastructure teams managing domain controllers or DNS services, CVE-2026-41096 and CVE-2026-41089 represent immediate risk vectors. Both allow unauthenticated network-based code execution on core Windows services. A compromised DNS server can redirect traffic; a compromised domain controller exposes authentication mechanisms and lateral movement pathways across the entire domain.

The volume itself signals a structural shift in vulnerability discovery. Microsoft has patched over 500 CVEs in the first five months of 2026—a substantial acceleration. The source attributes this partly to AI-driven scanning: 16 of this month's fixes in the Windows networking and authentication stack were identified through Microsoft's MDASH (multi-model AI-driven vulnerability discovery system). This trend is expected to increase patch cadence further in coming months, raising operational demands for SOC teams and patch management workflows.

For organizations relying on Azure services, the slate of high-severity Azure DevOps, Logic Apps, and Entra ID flaws—several marked as already mitigated server-side—underscores the shared responsibility model. Confirmation that some vulnerabilities required no customer action reduces immediate remediation overhead but does not eliminate the need for verification that updates deployed correctly.

The Secure Boot certificate deadline represents a hard constraint. Any system missing the June 26 cutoff may experience boot failures or operate in a security-degraded state, affecting business continuity beyond traditional vulnerability patching.

Affected systems and CVEs

Windows DNS — CVE-2026-41096 (CVSS 9.8)
Windows Netlogon — CVE-2026-41089 (CVSS 9.8)
Azure DevOps — CVE-2026-42826 (CVSS 10.0)
Azure Managed Instance for Apache Cassandra — CVE-2026-33109 (CVSS 9.9), CVE-2026-33844 (CVSS 9.0)
Microsoft Dynamics 365 (on-premises) — CVE-2026-42898 (CVSS 9.9), CVE-2026-42833 (CVSS 9.1)
Azure Logic Apps — CVE-2026-42823 (CVSS 9.9)
Windows Hyper-V — CVE-2026-40402 (CVSS 9.3)
Microsoft Teams — CVE-2026-33823 (CVSS 9.6)
Azure Cloud Shell — CVE-2026-35428 (CVSS 9.6)
Azure Entra ID — CVE-2026-40379 (CVSS 9.3)
Microsoft SSO Plugin for Jira & Confluence — CVE-2026-41103 (CVSS 9.1)
Azure SDK — CVE-2026-33117 (CVSS 9.1)
Microsoft Office Word — CVE-2026-40361 (CVSS 8.4), CVE-2026-40364 (CVSS 8.4)
Microsoft Edge / Chromium — 127 additional vulnerabilities addressed by Google
Windows Secure Boot — Certificate expiry (non-CVE, June 26, 2026 deadline)
AMD Zen 2 processors — CVE-2025-54518 (CVSS 7.3)

What to do

Apply all Microsoft security patches released in May 2026, prioritizing CVE-2026-41096 (Windows DNS) and CVE-2026-41089 (Windows Netlogon) due to remote unauthenticated code execution potential and Critical severity.
For vulnerabilities marked as requiring no customer action (CVE-2026-42826, CVE-2026-33109, CVE-2026-33844, CVE-2026-33823, CVE-2026-35428, CVE-2026-40379), verify that systems have received the latest updates.
Update Windows Secure Boot certificates to their 2023 versions before June 26, 2026. The source does not specify the mechanism for rotation; verify your organization's certificate management process and test rotation in non-production environments first.
Review Azure DevOps, Azure Logic Apps, Azure Entra ID, and Dynamics 365 configurations for exposure to newly patched vulnerabilities.
Test patches in pre-production environments, particularly for critical infrastructure such as domain controllers and DNS servers.
Update Microsoft Edge and Chromium-based applications to incorporate Google's 127 patched vulnerabilities.

Open questions

The source does not specify which versions or configurations of each product are affected by individual CVEs. Consult Microsoft's official security advisories for version-specific guidance.
No explicit patch deadline is stated; only the May 2026 release date is confirmed. Microsoft's standard practice is to recommend prompt application, but the source does not specify a recommended installation window.
For the 16 vulnerabilities identified via MDASH, it is unclear whether these pose unique exploitation vectors compared to traditionally discovered flaws or differ in exploitability.
The mechanism and timeline for validating successful Windows Secure Boot certificate rotation are not detailed in the source.
The source does not quantify how many organizations are currently exposed to each vulnerability class.