Microsoft has released fixes for 138 security vulnerabilities across its product ecosystem as part of the May 2026 Patch Tuesday rollout. While none of the vulnerabilities are currently known to be actively exploited in the wild, security experts are urging organizations to prioritize patching due to the number of critical flaws affecting core enterprise services.
Among the vulnerabilities addressed, 30 are classified as Critical, 104 as Important, three as Moderate, and one as Low severity. The largest category includes 61 privilege escalation flaws, followed by 32 remote code execution (RCE) bugs, 15 information disclosure issues, 14 spoofing vulnerabilities, eight denial-of-service flaws, six security feature bypasses, and two tampering-related bugs.
AMD CPU Vulnerability Also Addressed
The update cycle also includes a vulnerability previously patched by AMD, tracked as CVE-2025-54518 with a CVSS score of 7.3. The flaw impacts Zen 2-based processors and stems from improper isolation of shared resources within the CPU operation cache.
According to AMD, the issue could allow attackers to corrupt instructions executed at different privilege levels, potentially leading to privilege escalation attacks.
Additionally, Microsoft’s update incorporates fixes for 127 Chromium vulnerabilities, which also affect the Chromium-based Microsoft Edge browser.
Critical Windows DNS Flaw Allows Remote Code Execution
One of the most serious issues patched this month is CVE-2026-41096, a heap-based buffer overflow vulnerability in Windows DNS carrying a CVSS score of 9.8.
Microsoft warned that attackers could exploit the flaw by sending specially crafted DNS responses to vulnerable systems.
“An attacker could exploit this vulnerability by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory,” Microsoft explained.
Under certain configurations, successful exploitation could allow remote code execution without authentication.
Other High-Severity Vulnerabilities Fixed
Microsoft also resolved several additional critical vulnerabilities affecting Azure services, Dynamics 365, Windows components, and enterprise collaboration tools.
Key Vulnerabilities Include:
CVE-2026-42826 – Azure DevOps Information Disclosure (CVSS 10.0)
An exposure of sensitive information vulnerability in Azure DevOps that could allow unauthorized attackers to access data over a network. Microsoft noted that no customer action is required.
CVE-2026-33109 – Azure Managed Instance for Apache Cassandra (CVSS 9.9)
An improper access control flaw that allows authenticated attackers to execute code remotely.
CVE-2026-42898 – Microsoft Dynamics 365 Code Injection (CVSS 9.9)
A critical code injection issue affecting on-premises Dynamics 365 deployments that could enable authenticated attackers to execute arbitrary code over the network.
CVE-2026-41089 – Windows Netlogon Remote Code Execution (CVSS 9.8)
A stack-based buffer overflow in Windows Netlogon that can be exploited remotely against domain controllers without authentication.
CVE-2026-40402 – Windows Hyper-V Privilege Escalation (CVSS 9.3)
A use-after-free vulnerability that may allow attackers to gain SYSTEM privileges and compromise the Hyper-V host environment.
CVE-2026-41103 – Microsoft SSO Plugin for Jira & Confluence (CVSS 9.1)
An authentication flaw that could allow attackers to impersonate legitimate users and gain unauthorized access to Jira or Confluence environments.
Security researchers highlighted the severity of this issue due to its potential to bypass identity protections and compromise enterprise collaboration platforms.
Dynamics 365 Vulnerabilities Raise Enterprise Concerns
Researchers also expressed concern over vulnerabilities affecting Microsoft Dynamics 365 infrastructure.
Jack Bicer, Director of Vulnerability Research at Action1, noted that CVE-2026-42898 could allow low-privileged authenticated users to execute arbitrary code remotely without requiring user interaction.
Because Dynamics 365 environments are often integrated with identity systems, databases, and enterprise applications, a successful attack could lead to broader organizational compromise, exposure of customer records, operational disruption, and lateral movement across corporate infrastructure.
Microsoft Warns About Secure Boot Certificate Deadline
In addition to vulnerability patches, Microsoft is urging organizations to update Windows Secure Boot certificates before the expiration of certificates issued in 2011.
The company previously announced the certificate migration initiative in November 2025, with the transition deadline set for June 26, 2026.
Security experts warn that systems failing to update their Secure Boot trust anchors before the deadline could experience serious boot-level security failures or degraded protection mechanisms.
Organizations are encouraged to verify that all managed devices successfully rotate to the newer 2023 Secure Boot certificates well before the cutoff date.
Over 500 Microsoft CVEs Patched in 2026 So Far
According to Tenable researcher Satnam Narang, Microsoft has already patched more than 500 CVEs within the first five months of 2026.
The increase reflects a broader industry trend driven by AI-assisted vulnerability discovery and automated security research.
Microsoft revealed that 16 vulnerabilities fixed this month were identified using its internal AI-powered vulnerability discovery platform called MDASH (Multi-Model Agentic Scanning Harness).
Tom Gallagher, Vice President of Engineering at the Microsoft Security Response Center (MSRC), stated that AI investments are accelerating the discovery of vulnerabilities across Windows networking and authentication components.
Microsoft Advises Faster, More Disciplined Patching
Microsoft emphasized that the growing speed and scale of vulnerability discovery requires organizations to modernize their patch management strategies.
The company recommends:
- Staying current with supported operating systems and software
- Prioritizing patches based on exposure and business impact
- Reducing unnecessary internet-facing services
- Eliminating legacy authentication methods
- Enabling multi-factor authentication (MFA)
- Enforcing stronger access controls
- Segmenting environments to contain incidents
- Investing in detection and response capabilities
Microsoft concluded by warning that while cybersecurity fundamentals remain the same, organizations must adapt to a faster-moving threat landscape shaped increasingly by AI-driven vulnerability research.
