Microsoft has released security updates addressing 138 vulnerabilities across its product ecosystem as part of its May 2026 Patch Tuesday cycle, covering a wide range of issues spanning Windows, Azure services, enterprise applications, and core authentication components. According to the advisory, none of the vulnerabilities patched this month have been reported as publicly known or actively exploited at the time of release. The update includes 30 Critical rated flaws, 104 Important, three Moderate, and one Low severity vulnerability. Microsoft also categorized the issues into 61 privilege escalation vulnerabilities, 32 remote code execution flaws, 15 information disclosure issues, 14 spoofing vulnerabilities, eight denial of service problems, six security feature bypass cases, and two tampering flaws, reflecting the broad scope of security challenges addressed in this release.
Among the most significant issues addressed is CVE-2026-41096, a critical heap based buffer overflow vulnerability in Windows DNS with a CVSS score of 9.8. The flaw could allow an unauthorized attacker to execute remote code by sending a specially crafted DNS response that causes memory corruption in the DNS Client service. Microsoft explained that under certain system configurations, this could lead to remote code execution without authentication. Another high severity issue includes CVE-2026-41089 affecting Windows Netlogon, which involves a stack based buffer overflow that could allow unauthenticated attackers to execute code over a network by sending malicious requests to a Windows server acting as a domain controller. The Netlogon flaw is considered especially critical due to its potential impact on enterprise identity infrastructure and domain level security.
The update also includes multiple high risk vulnerabilities across Microsoft Azure and enterprise services, including CVE-2026-42826 in Azure DevOps, which exposes sensitive information to unauthorized actors, and CVE-2026-42823 in Azure Logic Apps that could allow privilege escalation. Additional issues include CVE-2026-33109 in Azure Managed Instance for Apache Cassandra, CVE-2026-42898 in Microsoft Dynamics 365 on premises involving code injection, and CVE-2026-40379 in Azure Entra ID affecting identity spoofing risks. Security researchers also highlighted CVE-2026-40402 in Windows Hyper V, which could allow SYSTEM level privilege escalation, as well as authentication and access control flaws impacting Microsoft Teams, Azure SDK, and Microsoft SSO Plugin for Jira and Confluence. Security analysts noted that several of these vulnerabilities require no customer action, while others present serious enterprise risk due to their potential to expose operational workflows, identity systems, and sensitive business data.
Microsoft also addressed a vulnerability originally patched by AMD, CVE-2025-54518, related to improper isolation of shared CPU cache resources in Zen 2 based processors, which could lead to privilege escalation. In addition, 127 security flaws previously fixed in Chromium were included in this cycle, impacting Microsoft Edge as part of its shared browser base. Security experts including those from Rapid7, Action1, Nightwing, and Tenable highlighted concerns about enterprise exposure, especially in systems running Microsoft Dynamics 365 and identity services connected to Azure environments. Microsoft further emphasized the importance of updating Windows Secure Boot certificates to the 2023 version ahead of the June 26, 2026 deadline, warning that outdated certificates could lead to boot level security failures or degraded system security states. The company also noted increasing use of AI assisted vulnerability discovery through its multi model MDASH system, which contributed to identifying several of this month’s flaws, reflecting a growing role of artificial intelligence in accelerating vulnerability detection and patch development across its security ecosystem.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
