Microsoft Patches 138 Vulnerabilities, Including Critical DNS and Netlogon Flaws

Microsoft’s biggest Patch Tuesday of the year lands with 138 fixes

Microsoft released its May 2026 Patch Tuesday on Tuesday, bundling fixes for 138 vulnerabilities across Windows, Azure, Office, and a handful of third‑party components. While none of the flaws are currently being exploited in the wild, the sheer volume—30 Critical, 104 Important, three Moderate, and one Low—makes this the most consequential update cycle of the year.

What’s most dangerous?

Severity	Count	Notable CVEs
Critical	30	CVE‑2026‑41096 – Windows DNS heap overflow (9.8)
		CVE‑2026‑41089 – Netlogon stack overflow (9.8)
		CVE‑2026‑42826 – Azure DevOps information exposure (10.0)
Important	104	CVE‑2026‑33109 – Azure Managed Instance for Apache Cassandra access control (9.9)
		CVE‑2026‑42898 – Dynamics 365 code injection (9.9)
		CVE‑2026‑42823 – Azure Logic Apps privilege escalation (9.9)
Moderate	3	–
Low	1	–

DNS heap overflow (CVE‑2026‑41096)

Microsoft describes the flaw as a heap‑based buffer overflow in the Windows DNS client. An attacker who can inject a crafted DNS response into the network can corrupt memory and execute arbitrary code without any authentication. The vulnerability scores a 9.8 on the CVSS scale, placing it on par with the historic PrintNightmare and Zerologon bugs.

“An attacker could exploit this vulnerability by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory,” the Microsoft Security Response Center (MSRC) said.

Netlogon stack overflow (CVE‑2026‑41089)

The Netlogon service, which authenticates domain‑joined machines, contains a stack‑based buffer overflow that can be triggered by a malformed authentication request. Successful exploitation grants remote code execution on a domain controller, even when the attacker has no valid credentials. This flaw also scores 9.8.

“This critical elevation of privilege vulnerability allows an unauthorized attacker to impersonate an existing user by presenting forged credentials, thus bypassing Entra ID,” noted Adam Barnett, lead software engineer at Rapid7.

Other high‑impact fixes

• CVE‑2026‑42826 (10.0) – Azure DevOps exposure that leaks project metadata to unauthenticated actors.
• CVE‑2026‑33109 (9.9) – Improper access control in Azure Managed Instance for Apache Cassandra, enabling remote code execution for authorized users.
• CVE‑2026‑42898 (9.9) – Code injection in Dynamics 365 on‑premises that lets a low‑privilege attacker run arbitrary commands.
• CVE‑2026‑42823 (9.9) – Azure Logic Apps privilege‑escalation path.
• CVE‑2026‑33823 (9.6) – Teams information disclosure.
• CVE‑2026‑35428 (9.6) – Command injection in Azure Cloud Shell.
• CVE‑2026‑40379 (9.3) – Entra ID spoofing.
• CVE‑2026‑40402 (9.3) – User‑after‑free in Hyper‑V that grants SYSTEM on the host.
• CVE‑2026‑41103 (9.1) – Flawed SSO plugin for Jira & Confluence that lets attackers hijack accounts.
• CVE‑2026‑33117 (9.1) – Azure SDK bypass of a security feature.
• CVE‑2026‑40361 / 40364 (8.4) – Use‑after‑free and type‑confusion bugs in Office Word that enable local code execution without user interaction.

Expert takeaways

• Rapid7’s Adam Barnett highlighted the Netlogon issue as a “critical elevation of privilege” that could be chained with other Azure AD weaknesses to fully compromise a tenant.
• Action1’s Jack Bicer warned that the Dynamics 365 flaw (CVE‑2026‑42898) “allows an authenticated attacker with low privileges to run arbitrary code over the network,” potentially exposing customer records and downstream services.
• Nightwing’s Rain Baker reminded organizations to rotate Secure Boot certificates before the June 26 2026 deadline, or risk boot‑level security failures.
• Tenable’s Satnam Narang pointed out that Microsoft has already patched over 500 CVEs in the first five months of 2026, a trend driven by AI‑assisted discovery.

The AI factor: Microsoft’s MDASH

Microsoft disclosed that 16 of the 138 flaws were found by its new MDASH (Multi‑model Agentic Scanning Harness) platform, an AI‑driven system that scans source code, binaries, and configuration artifacts across the product stack. Tom Gallagher, VP of Engineering at MSRC, said:

“In this month’s release, a greater share of the issues addressed were discovered by Microsoft, compared to prior months. Many of these were surfaced through AI investments and investigations across our engineering and research teams."

The shift toward AI‑generated findings means the volume of patches will likely keep rising, putting pressure on organizations to prioritize by impact, not by raw count.

What you should do now

1. Deploy the May updates immediately on all supported Windows 10/11, Server 2016‑2022, and Azure workloads.
2. Validate Secure Boot certificate rotation – ensure devices receive the 2023 certificates before the June 26 deadline.
3. Review network exposure – block inbound DNS traffic from untrusted sources and restrict Netlogon traffic to known domain controllers.
4. Enable MFA and conditional access for Azure AD, especially for accounts that can manage Dynamics 365 or Logic Apps.
5. Segment critical services – isolate DNS, Netlogon, and Azure management endpoints on separate VLANs or micro‑segments.
6. Leverage Microsoft Defender for Cloud to surface any lingering exposure to the newly patched CVEs.

Bottom line

May’s Patch Tuesday underscores how quickly the attack surface can expand when core services like DNS and Netlogon are involved. While the flaws aren’t being exploited yet, the severity scores and the potential for lateral movement demand rapid remediation. Coupled with the upcoming Secure Boot certificate change, organizations that treat this update as a single‑click operation risk leaving a wide attack corridor open.

Stay ahead of the curve: keep your patch cadence tight, automate deployment where possible, and continuously reassess exposure based on the most recent CVE data.

---

For full CVE details, see the Microsoft Security Update Guide: https://msrc.microsoft.com/update-guide