INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ATTENTION: This report is based on previous data. New intelligence sources have been linked and the Executive Summary and Mitigations need to be re-synthesized.
Microsoft Fixes 17 Critical Flaws in May Patch Tuesday
| 2026-05-13 08:15 CRITICAL HIGHExecutive Summary AI-generated
The recent patch Tuesday for May 2026 has fixed a plethora of critical vulnerabilities across Microsoft's portfolio, including Windows and Office. A notable exploit was the remote code execution (RCE) vulnerability in the Windows DNS Client, which could be used to silently compromise large enterprise networks without authentication or user interaction. This bug carried a CVSS score of 9.8, making it one of the most urgent patches in recent security updates. The patch also fixed several other notable vulnerabilities, including those in Microsoft Dynamics 365 On-Premises and Windows Netlogon, which could potentially allow unauthenticated remote code execution without user interaction or authentication.
Technical Mitigations AI-generated
* Implement secure coding practices: Ensure that developers and testers follow best practices for secure coding, such as using input validation, sanitizing user input, and avoiding buffer overflows.
* Regularly update software and systems: Keep all operating systems, applications, and services up to date with the latest security patches and updates to ensure that known vulnerabilities are addressed before they can be exploited.
* Use secure protocols for communication: Ensure that network connections use secure protocols such as HTTPS or SFTP instead of unencrypted protocols like HTTP or FTP. This helps prevent eavesdropping and man-in-the-middle attacks.
* Implement access controls and authentication: Use strong passwords, multi-factor authentication (MFA), and role-based access control to limit user privileges and ensure that only authorized users can access sensitive data.
* Monitor system logs and perform regular security audits: Regularly review system logs for suspicious activity and perform thorough security audits to identify potential vulnerabilities or weaknesses in the system.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-41096CVE-2026-41096
CVE-2026-41089CVE-2026-41089
CVE-2026-40415CVE-2026-40415
CVE-2026-40397CVE-2026-40397
CVE-2026-40365CVE-2026-40365
CVE-2026-40364CVE-2026-40364
CVE-2026-40358CVE-2026-40358
CVE-2026-40398CVE-2026-40398
CVE-2026-42823CVE-2026-42823
CVE-2026-32161CVE-2026-32161
CVE-2026-42831CVE-2026-42831
CVE-2026-35421CVE-2026-35421
CVE-2026-33109CVE-2026-33109
CVE-2026-33841CVE-2026-33841
CVE-2026-40366CVE-2026-40366
CVE-2026-33835CVE-2026-33835
CVE-2026-40403CVE-2026-40403
CVE-2026-40363CVE-2026-40363
CVE-2026-35417CVE-2026-35417
CVE-2026-42898CVE-2026-42898
CVE-2026-40361CVE-2026-40361
CVE-2026-40367CVE-2026-40367
CVE-2026-40369CVE-2026-40369
CVE-2026-33837CVE-2026-33837
CVE-2026-41103CVE-2026-41103
CVE-2026-33840CVE-2026-33840
CVE-2026-35416CVE-2026-35416
CVE-2026-33844CVE-2026-33844
Target & Sectors
Global Scope
Incident Timeline
12 May
Threat actors exploited 17 critical vulnerabilities in Microsoft's May Patch Tuesday update.
2026/05/13
Microsoft has fixed 17 critical vulnerabilities in its software this May Patch Tuesday.
Click on any entity below to view its context and source!
infrastructure
Windows
CVE-2026-41103 class
(CVSS High) — Windows Remote Desktop, Windows Common Log File System Driver, Windows Kernel, Azure AI Foundry, Windows Win32k, Windows TCP/IP, Windows Cloud Files Mini Filter Driver — multiple privilege escalation issues across these components rated as exploitation more likely.
The affected products span virtually the entire Microsoft portfolio: Windows and its components, Office, Edge, Azure, .NET, Visual Studio, SQL Server, the various Copilot products, and, a detail that will raise an eyebrow or two, the Telnet client.
A critical flaw in the Windows DNS Client could let attackers remotely execute code by sending malicious DNS responses, without authentication or user interaction.
Because the DNS client runs on nearly all Windows systems, attackers using rogue DNS servers or man-in-the-middle attacks could silently compromise large enterprise networks.
A critical Windows Netlogon flaw could let unauthenticated attackers remotely execute code on domain controllers using crafted network requests.
Because it is potentially wormable, a successful attack could compromise an entire Windows domain, making it one of the most urgent patches in the latest security updates.
A use-after-free flaw in the Windows TCP/IP stack could theoretically allow unauthenticated remote code execution without user interaction, making it another potentially wormable issue.
CVE-2026-41089
(CVSS score of 9.8) — Windows Netlogon Remote Code Execution.
CVE-2026-41096
(CVSS not disclosed) — Windows DNS Client Remote Code Execution.
CVE-2026-40415
(CVSS not disclosed) — Windows TCP/IP Remote Code Execution.
Among Microsoft’s 138 patches this month, the most urgent fixes are for Netlogon, the Windows DNS Client, Dynamics 365, and Microsoft Word vulnerabilities.
It’s a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8 which could give attackers system privileges on the domain controller, Barnett warned.
Also top of mind for sysadmins should be CVE-2026-41096 – a critical RCE in the Windows DNS client implementation with a CVSS score of 9.8.
The Benefits of AI-Powered Vulnerability Research
Rapid7’s Barnett noted that Microsoft’s Windows Attack Research and Protection (WARP) team is credited with multiple critical vulnerabilities.
Childs was especially intrigued by
CVE-2026-41096
, which he described as a “nasty-looking bug” in Microsoft Windows DNS that allows unauthorized attackers to run code remotely.
“No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous.
Childs also described
CVE-2026-41089
, a Windows Netlogon defect that allows unauthenticated remote attackers to run code, as the “highest-impact bug that requires immediate patching,” adding that a “compromised domain controller is a compromised domain.”
Jack Bicer, director of vulnerability research at Action1, called out CVE-2026-42898, the critical vulnerability affecting Microsoft Dynamics 365.
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
Concurrent execution using a shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.
CVE-2026-35421
is a critical heap-based buffer overflow vulnerability in Windows GDI that allows an unauthorized attacker to execute code locally.
This action is necessary to trigger the affected graphics functionality in the Windows component.
CVE-2026-40403
is a critical heap-based buffer overflow vulnerability in Windows Win32K – GRFX that allows an authorized attacker to execute code locally.
CVE-2026-41089
is a critical stack-based buffer overflow in Windows Netlogon that allows an unauthorized attacker to execute code over a network.
An attacker could send a specially crafted network request to a Windows server that is acting as a domain controller.
CVE-2026-41096
is a critical heap-based overflow vulnerability in Windows DNS Client.
An attacker could exploit this vulnerability by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory.
Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"
CVE-2026-33835
: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-33837
: Windows TCP/IP Local Elevation of Privilege Vulnerability
CVE-2026-33840
: Win32k Elevation of Privilege Vulnerability
CVE-2026-33841
: Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-35416
: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-35417
: Windows Win32k
Elevation of Privilege Vulnerability
CVE-2026-40369
: Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-40397
: Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2026-40398
: Windows Remote Desktop Services Elevation of Privilege Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its
update page
.
organisation
Windows Remote Desktop
CVE-2026-41103 class
(CVSS High) — Windows Remote Desktop, Windows Common Log File System Driver, Windows Kernel, Azure AI Foundry, Windows Win32k, Windows TCP/IP, Windows Cloud Files Mini Filter Driver — multiple privilege escalation issues across these components rated as exploitation more likely.
organisation
CVSS Critical
CVE-2026-41103
(CVSS Critical) — Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege.
organisation
Microsoft SSO Plugin for Jira &
CVE-2026-41103
(CVSS Critical) — Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege.
organisation
Office,
The affected products span virtually the entire Microsoft portfolio: Windows and its components, Office, Edge, Azure, .NET, Visual Studio, SQL Server, the various Copilot products, and, a detail that will raise an eyebrow or two, the Telnet client.
organisation
Copilot
The affected products span virtually the entire Microsoft portfolio: Windows and its components, Office, Edge, Azure, .NET, Visual Studio, SQL Server, the various Copilot products, and, a detail that will raise an eyebrow or two, the Telnet client.
organisation
Telnet
The affected products span virtually the entire Microsoft portfolio: Windows and its components, Office, Edge, Azure, .NET, Visual Studio, SQL Server, the various Copilot products, and, a detail that will raise an eyebrow or two, the Telnet client.
organisation
the Windows DNS Client
A critical flaw in the Windows DNS Client could let attackers remotely execute code by sending malicious DNS responses, without authentication or user interaction.
organisation
DNS
A critical flaw in the Windows DNS Client could let attackers remotely execute code by sending malicious DNS responses, without authentication or user interaction.
Childs was especially intrigued by
CVE-2026-41096
, which he described as a “nasty-looking bug” in Microsoft Windows DNS that allows unauthorized attackers to run code remotely.
An attacker could exploit this vulnerability by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory.
“Because DNS is a core networking service used across enterprise environments, exploitation could impact a large number of systems rapidly,” warned Action1 director of vulnerability research, Jack Bicer.
organisation
the Windows TCP
A use-after-free flaw in the Windows TCP/IP stack could theoretically allow unauthenticated remote code execution without user interaction, making it another potentially wormable issue.
organisation
CVE-2026-41089
CVE-2026-41089
(CVSS score of 9.8) — Windows Netlogon Remote Code Execution.
organisation
CVE-2026
CVE-2026-41096
(CVSS not disclosed) — Windows DNS Client Remote Code Execution.
Childs was especially intrigued by
CVE-2026-41096
, which he described as a “nasty-looking bug” in Microsoft Windows DNS that allows unauthorized attackers to run code remotely.
CVE-2026-40361
is a critical use after free vulnerability in Microsoft Word that allows an unauthorized attacker to execute code locally.
organisation
Windows DNS Client
CVE-2026-41096
(CVSS not disclosed) — Windows DNS Client Remote Code Execution.
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
organisation
Netlogon
Among Microsoft’s 138 patches this month, the most urgent fixes are for Netlogon, the Windows DNS Client, Dynamics 365, and Microsoft Word vulnerabilities.
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
organisation
the Windows DNS Client, Dynamics 365
Among Microsoft’s 138 patches this month, the most urgent fixes are for Netlogon, the Windows DNS Client, Dynamics 365, and Microsoft Word vulnerabilities.
organisation
Microsoft Word
Among Microsoft’s 138 patches this month, the most urgent fixes are for Netlogon, the Windows DNS Client, Dynamics 365, and Microsoft Word vulnerabilities.
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
organisation
CVSS
It’s a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8 which could give attackers system privileges on the domain controller, Barnett warned.
The bug requires no credentials or user interaction and carries a CVSS score of 9.8.
organisation
AI-Powered Vulnerability Research
The Benefits of AI-Powered Vulnerability Research
Rapid7’s Barnett noted that Microsoft’s Windows Attack Research and Protection (WARP) team is credited with multiple critical vulnerabilities.
organisation
Windows Attack Research and Protection
The Benefits of AI-Powered Vulnerability Research
Rapid7’s Barnett noted that Microsoft’s Windows Attack Research and Protection (WARP) team is credited with multiple critical vulnerabilities.
organisation
Microsoft Windows
Childs was especially intrigued by
CVE-2026-41096
, which he described as a “nasty-looking bug” in Microsoft Windows DNS that allows unauthorized attackers to run code remotely.
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
organisation
DNS Client
“No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous.
organisation
Microsoft Dynamics 365
Childs also described
CVE-2026-41089
, a Windows Netlogon defect that allows unauthenticated remote attackers to run code, as the “highest-impact bug that requires immediate patching,” adding that a “compromised domain controller is a compromised domain.”
Jack Bicer, director of vulnerability research at Action1, called out CVE-2026-42898, the critical vulnerability affecting Microsoft Dynamics 365.
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
A critical code injection flaw in Microsoft Dynamics 365 On-Premises received a rare CVSS score of 9.9.
organisation
Microsoft Office
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
CVE-2026-40363
is a critical heap-based buffer overflow in Microsoft Office which allows an unauthorized attacker to execute code locally.
CVE-2026-40358
is a critical use after free vulnerability in Microsoft Office which allows an unauthorized attacker to execute code locally.
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
infrastructure
Android
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
CVE-2026-42831
is a critical heap-based buffer overflow vulnerability in Office for Android that allows an unauthorized attacker to execute code locally.
organisation
Microsoft SharePoint
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
organisation
Windows Graphics Component
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
organisation
the DNS Client
An attacker could exploit this vulnerability by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory.
organisation
Win32k Elevation of Privilege Vulnerability
Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"
CVE-2026-33835
: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-33837
: Windows TCP/IP Local Elevation of Privilege Vulnerability
CVE-2026-33840
: Win32k Elevation of Privilege Vulnerability
CVE-2026-33841
: Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-35416
: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-35417
: Windows Win32k
organisation
Windows Ancillary Function
Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"
CVE-2026-33835
: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-33837
: Windows TCP/IP Local Elevation of Privilege Vulnerability
CVE-2026-33840
: Win32k Elevation of Privilege Vulnerability
CVE-2026-33841
: Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-35416
: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-35417
: Windows Win32k
organisation
WinSock Elevation of Privilege Vulnerability
Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"
CVE-2026-33835
: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-33837
: Windows TCP/IP Local Elevation of Privilege Vulnerability
CVE-2026-33840
: Win32k Elevation of Privilege Vulnerability
CVE-2026-33841
: Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-35416
: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-35417
: Windows Win32k
organisation
Windows Win32k
Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"
CVE-2026-33835
: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-33837
: Windows TCP/IP Local Elevation of Privilege Vulnerability
CVE-2026-33840
: Win32k Elevation of Privilege Vulnerability
CVE-2026-33841
: Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-35416
: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-35417
: Windows Win32k
organisation
Microsoft
Microsoft has published security updates to fix 120 CVEs in the May Patch Tuesday, 16 of which were discovered by a new multi-model agentic security system.
Microsoft addresses 137 vulnerabilities in May’s Patch Tuesday, including 13 rated critical.
organisation
Remote Desktop Client
In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the machine when a victim connects to the attacking server with a vulnerable Remote Desktop Client.
organisation
Critical
30 of these bugs are rated Critical.
organisation
Microsoft Dynamics 365 On-Premises
“Successful attacks may lead to widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption across corporate networks.”
Bicer also flagged CVE-2026-42898, a critical RCE bug in Microsoft Dynamics 365 On-Premises.
organisation
Microsoft Dynamics
Thirteen of the 137 vulnerabilities Microsoft disclosed were assigned critical CVSS ratings, including a pair of vulnerabilities affecting Azure —
CVE-2026-33109
and
CVE-2026-42823
— and
CVE-2026-42898
in Microsoft Dynamics 365 with 9.9 CVSS scores.
organisation
CVE-2026-40361
CVE-2026-40361
(CVSS score of 8.4) — Microsoft Word Remote Code Execution.
organisation
TCP
Use-after-free in the TCP/IP stack; unauthenticated, no user interaction, technically wormable but requires rare memory pressure conditions.
organisation
Preview Pane
Type confusion bug; exploitable via Preview Pane without opening the document.
organisation
SecurityAffairs
Follow me on Twitter:
@securityaffairs
and
Facebook
and
Mastodon
Pierluigi Paganini
(
SecurityAffairs
– hacking, Patch Tuesday)
organisation
Microsoft Fixes
Microsoft Fixes 17 Critical Flaws in May Patch Tuesday.
organisation
Critical Flaws
Microsoft Fixes 17 Critical Flaws in May Patch Tuesday.
organisation
Dynamics CRM
It could allow an authenticated attacker with low privileges to execute malicious code over the network by manipulating process session data within Dynamics CRM.
An attacker with the required permissions could modify the saved state of a process session in Dynamics CRM and trigger the system to process that data, which could result in the server unintentionally executing malicious code.
organisation
Azure Managed Instance for Apache Cassandra
CVE-2026-33109
is a critical access control vulnerability in Azure Managed Instance for Apache Cassandra.
organisation
Trend Micro’s Zero Day Initiative
While not all of these bugs were found by AI, it’s likely they had an AI-related component — even if it was just AI writing the submission,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, wrote in a
blog post
Tuesday.
organisation
Microsoft’s Security Response Center
The full list of vulnerabilities addressed this month is available in
Microsoft’s Security Response Center
.
infrastructure
365 infrastructure
“Compromise of Dynamics 365 infrastructure can expose customer records, operational workflows, financial information, and integrated business systems.
organisation
Microsoft Office Word
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
organisation
Enhanced Metafile
For this vulnerability to be exploited, a user would need to open or otherwise process a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint.
organisation
EMF
For this vulnerability to be exploited, a user would need to open or otherwise process a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint.
organisation
Microsoft Paint
For this vulnerability to be exploited, a user would need to open or otherwise process a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint.
organisation
Office
An attacker must send a user a malicious Office file and convince them to open it.
organisation
Cisco Security Firewall
Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU.
organisation
SRU
Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU.
organisation
Snort 3
The following Snort 3 rules are also available: 1:301494-1:301497, 1:301500-1:301506, 1:66472-1:66473, and 1:66476.
May 2026
Microsoft Patch Tuesday for May 2026 fixed 138 vulnerabilities, including 30 critical ones.
Click on any entity below to view its context and source!
infrastructure
Windows
Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming
Microsoft’s May 2026 Patch Tuesday fixed 138 flaws, including 30 critical bugs, across Windows, Office, Azure, Edge, SQL Server, and more.
organisation
Microsoft
Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming
Microsoft’s May 2026 Patch Tuesday fixed 138 flaws, including 30 critical bugs, across Windows, Office, Azure, Edge, SQL Server, and more.
By
Jaeson Schultz
Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 31 that Microsoft marked as “critical”.
organisation
Windows, Office
Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming
Microsoft’s May 2026 Patch Tuesday fixed 138 flaws, including 30 critical bugs, across Windows, Office, Azure, Edge, SQL Server, and more.
tactic
T1584.004 - Server
Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming
Microsoft’s May 2026 Patch Tuesday fixed 138 flaws, including 30 critical bugs, across Windows, Office, Azure, Edge, SQL Server, and more.
general_metric
138 bugs
Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming
Microsoft’s May 2026 Patch Tuesday fixed 138 flaws, including 30 critical bugs, across Windows, Office, Azure, Edge, SQL Server, and more.
Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming.
Microsoft’s May 2026 Patch Tuesday patched 138 vulnerabilities in a single release.
general_metric
30 critical bugs
Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming
Microsoft’s May 2026 Patch Tuesday fixed 138 flaws, including 30 critical bugs, across Windows, Office, Azure, Edge, SQL Server, and more.
vulnerability
CVSS score of 9.9
Below are the most Notable CVEs fixed with Microsoft Patch Tuesday for May 2026:
CVE-2026-42898
(CVSS score of 9.9) — Microsoft Dynamics 365 On-Premises Remote Code Execution.
general_metric
365 Microsoft Dynamics
Below are the most Notable CVEs fixed with Microsoft Patch Tuesday for May 2026:
CVE-2026-42898
(CVSS score of 9.9) — Microsoft Dynamics 365 On-Premises Remote Code Execution.
tactic
Remote Code Execution
Below are the most Notable CVEs fixed with Microsoft Patch Tuesday for May 2026:
CVE-2026-42898
(CVSS score of 9.9) — Microsoft Dynamics 365 On-Premises Remote Code Execution.
vulnerability
CVE-2026-42898
Below are the most Notable CVEs fixed with Microsoft Patch Tuesday for May 2026:
CVE-2026-42898
(CVSS score of 9.9) — Microsoft Dynamics 365 On-Premises Remote Code Execution.
infrastructure
9.9
Below are the most Notable CVEs fixed with Microsoft Patch Tuesday for May 2026:
CVE-2026-42898
(CVSS score of 9.9) — Microsoft Dynamics 365 On-Premises Remote Code Execution.
organisation
Microsoft Patch
Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming.
Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities.
organisation
Snort
Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities.
general_metric
31 RCE
By
Jaeson Schultz
Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 31 that Microsoft marked as “critical”.
general_metric
137 vulnerabilities
By
Jaeson Schultz
Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 31 that Microsoft marked as “critical”.
Tactical Metrics
Metrics
infrastructure
Windows
Affected Product
Click for context!
It’s a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8 which could give attackers system privileges on the domain controller, Barnett warned.
Also top of mind for sysadmins should be CVE-2026-41096 – a critical RCE in the Windows DNS client implementation with a CVSS score of 9.8.
The Benefits of AI-Powered Vulnerability Research
Rapid7’s Barnett noted that Microsoft’s Windows Attack Research and Protection (WARP) team is credited with multiple critical vulnerabilities.
CVE-2026-41103 class
(CVSS High) — Windows Remote Desktop, Windows Common Log File System Driver, Windows Kernel, Azure AI Foundry, Windows Win32k, Windows TCP/IP, Windows Cloud Files Mini Filter Driver — multiple privilege escalation issues across these components rated as exploitation more likely.
Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming
Microsoft’s May 2026 Patch Tuesday fixed 138 flaws, including 30 critical bugs, across Windows, Office, Azure, Edge, SQL Server, and more.
The affected products span virtually the entire Microsoft portfolio: Windows and its components, Office, Edge, Azure, .NET, Visual Studio, SQL Server, the various Copilot products, and, a detail that will raise an eyebrow or two, the Telnet client.
A critical flaw in the Windows DNS Client could let attackers remotely execute code by sending malicious DNS responses, without authentication or user interaction.
Because the DNS client runs on nearly all Windows systems, attackers using rogue DNS servers or man-in-the-middle attacks could silently compromise large enterprise networks.
A critical Windows Netlogon flaw could let unauthenticated attackers remotely execute code on domain controllers using crafted network requests.
Because it is potentially wormable, a successful attack could compromise an entire Windows domain, making it one of the most urgent patches in the latest security updates.
A use-after-free flaw in the Windows TCP/IP stack could theoretically allow unauthenticated remote code execution without user interaction, making it another potentially wormable issue.
CVE-2026-41089
(CVSS score of 9.8) — Windows Netlogon Remote Code Execution.
CVE-2026-41096
(CVSS not disclosed) — Windows DNS Client Remote Code Execution.
CVE-2026-40415
(CVSS not disclosed) — Windows TCP/IP Remote Code Execution.
Among Microsoft’s 138 patches this month, the most urgent fixes are for Netlogon, the Windows DNS Client, Dynamics 365, and Microsoft Word vulnerabilities.
Childs was especially intrigued by
CVE-2026-41096
, which he described as a “nasty-looking bug” in Microsoft Windows DNS that allows unauthorized attackers to run code remotely.
“No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous.
Childs also described
CVE-2026-41089
, a Windows Netlogon defect that allows unauthenticated remote attackers to run code, as the “highest-impact bug that requires immediate patching,” adding that a “compromised domain controller is a compromised domain.”
Jack Bicer, director of vulnerability research at Action1, called out CVE-2026-42898, the critical vulnerability affecting Microsoft Dynamics 365.
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
Concurrent execution using a shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.
CVE-2026-35421
is a critical heap-based buffer overflow vulnerability in Windows GDI that allows an unauthorized attacker to execute code locally.
This action is necessary to trigger the affected graphics functionality in the Windows component.
CVE-2026-40403
is a critical heap-based buffer overflow vulnerability in Windows Win32K – GRFX that allows an authorized attacker to execute code locally.
CVE-2026-41089
is a critical stack-based buffer overflow in Windows Netlogon that allows an unauthorized attacker to execute code over a network.
An attacker could send a specially crafted network request to a Windows server that is acting as a domain controller.
CVE-2026-41096
is a critical heap-based overflow vulnerability in Windows DNS Client.
An attacker could exploit this vulnerability by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory.
Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"
CVE-2026-33835
: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-33837
: Windows TCP/IP Local Elevation of Privilege Vulnerability
CVE-2026-33840
: Win32k Elevation of Privilege Vulnerability
CVE-2026-33841
: Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-35416
: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-35417
: Windows Win32k
Elevation of Privilege Vulnerability
CVE-2026-40369
: Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-40397
: Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2026-40398
: Windows Remote Desktop Services Elevation of Privilege Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its
update page
.
Metrics
infrastructure
9.9
Software Version
Below are the most Notable CVEs fixed with Microsoft Patch Tuesday for May 2026:
CVE-2026-42898
(CVSS score of 9.9) — Microsoft Dynamics 365 On-Premises Remote Code Execution.
Metrics
infrastructure
365
Infrastructure
“Compromise of Dynamics 365 infrastructure can expose customer records, operational workflows, financial information, and integrated business systems.
Metrics
infrastructure
Microsoft Office
Affected Product
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
CVE-2026-40358
is a critical use after free vulnerability in Microsoft Office which allows an unauthorized attacker to execute code locally.
CVE-2026-40363
is a critical heap-based buffer overflow in Microsoft Office which allows an unauthorized attacker to execute code locally.
Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Metrics
infrastructure
Android
Affected Product
Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
CVE-2026-42831
is a critical heap-based buffer overflow vulnerability in Office for Android that allows an unauthorized attacker to execute code locally.
Intelligence Sources
CyberScoop
2026-05-12
Talos Intelligence
2026-05-12
Infosecurity-Magazine
2026-05-13
Microsoft Fixes 17 Critical Flaws in May Patch Tuesday
Infosecurity-Magazine
Security Affairs
2026-05-13
Infosecurity-Magazine
2026-05-13
Microsoft Fixes 17 Critical Flaws in May Patch Tuesday
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-15T10:16
Comprehensive Tactical Telemetry
Highly Correlated Entities
60x
organisation
Identified Entity
Microsoft Dynamics 365 On-Premises
entity
28x
vulnerability
Exploited CVE
CVE-2026-42898
cve
7x
timeline
Temporal Reference
12 May
date
4x
tactic
Cyber Operation Type
Ransomware
tactic
3x
infrastructure
Affected Product
Windows
software
3x
vulnerability
CVSS Score
10
score
2x
general metric
Vulnerabilities
14
vulnerabilities
2x
general metric
Tuesday
16
tuesday
2x
tactic
MITRE ATT&CK Technique
T1584.004 - Server
technique
Contextual Telemetry
Context Block
15 METRICS
general metric
Microsoft Dynamics
365
microsoft dynamics
general metric
Critical Vulnerabilities
17
critical vulnerabilities
general metric
Eop
61
eop
general metric
Rce
31
rce
general metric
Specialized Agents
100
specialized agents
general metric
Bugs
138
bugs
general metric
Critical Bugs
30
critical bugs
infrastructure
Software Version
9.9
version
general metric
Cvss Scores
10
cvss scores
general metric
Defects
113
defects
infrastructure
Infrastructure
365
infrastructure
general metric
Elevation
33,841
elevation
general metric
Windows Function Driver
35,417
windows function driver
general metric
Rules
2
rules
general metric
Snort
3
snort
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.