Microsoft has released its May 2026 Patch Tuesday update, addressing a significant total of 138 security vulnerabilities across its product range. While none of the flaws were publicly disclosed or actively exploited at the time of release, the update includes 30 critical vulnerabilities, with several posing serious risks, particularly concerning remote code execution in core Windows components like DNS and Netlogon.

Key Takeaways

• A total of 138 vulnerabilities were patched, with 30 rated Critical.

• Critical RCE flaws were found in Windows DNS Client and Windows Netlogon.

• Microsoft Dynamics 365 and Microsoft Word also have critical vulnerabilities.

• AI played a significant role in discovering a portion of these vulnerabilities.

• A mandatory update for Windows Secure Boot certificates is also required before June 26, 2026.

Critical Vulnerabilities Requiring Immediate Attention

Among the 138 vulnerabilities patched, several stand out due to their severity and potential impact. The Windows DNS Client is affected by CVE-2026-41096, a critical heap-based buffer overflow flaw that could allow an unauthenticated attacker to execute code remotely by sending a specially crafted DNS response. Similarly, CVE-2026-41089, a critical stack-based buffer overflow in Windows Netlogon, allows unauthenticated attackers to execute code on domain controllers with a CVSS score of 9.8, and is considered potentially wormable.

Microsoft Dynamics 365 (on-premises) is also impacted by a critical code injection vulnerability (CVE-2026-42898) with a CVSS score of 9.9, which includes a scope change, allowing attackers to affect resources beyond the targeted component. Additionally, two vulnerabilities in Microsoft Word (CVE-2026-40361 and CVE-2026-40364) can be exploited through the Preview Pane without requiring users to open a malicious document.

Other Notable Vulnerabilities

The update also includes a range of other significant vulnerabilities, such as an exposure of sensitive information in Azure DevOps (CVE-2026-42826), improper access control in Azure Managed Instance for Apache Cassandra (CVE-2026-33109), and privilege escalation in Azure Logic Apps (CVE-2026-42823).

The Role of AI in Vulnerability Discovery

Microsoft highlighted that a notable portion of the vulnerabilities addressed in this Patch Tuesday were discovered through its new AI-driven vulnerability discovery system, codenamed MDASH. This indicates a growing trend where artificial intelligence is accelerating the pace of vulnerability identification, leading to larger Patch Tuesday releases. Microsoft advises organizations to adapt their patching cadences and risk management strategies to keep pace with this evolving landscape.

Secure Boot Certificate Update

In addition to the CVE fixes, organizations are strongly advised to update their Windows Secure Boot certificates to their 2023 counterparts before the June 26, 2026 deadline. Failure to do so could result in catastrophic boot-level security failures or degraded security states.

Sources

• Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws, The Hacker News.

• Microsoft Patch Tuesday for May 2026 fix 138 bugs, some of them are alarming, Security Affairs.