Pierluigi Paganini May 13, 2026

Microsoft’s May 2026 Patch Tuesday fixed 138 flaws, including 30 critical bugs, across Windows, Office, Azure, Edge, SQL Server, and more.

Microsoft’s May 2026 Patch Tuesday patched 138 vulnerabilities in a single release. That is a number that gives pause even for people accustomed to these cycles.

The affected products span virtually the entire Microsoft portfolio: Windows and its components, Office, Edge, Azure, .NET, Visual Studio, SQL Server, the various Copilot products, and, a detail that will raise an eyebrow or two, the Telnet client. Curiously, in 2026, the Telnet client still needs a security patch.

30 of these bugs are rated Critical. The rest range from Important down to Moderate and Low. None of them, at the time of release, were listed as publicly known or already being exploited in the wild. That is worth something, even if it is not a reason to relax.

It is also worth noting that this wave of fixes lands just days before Pwn2Own Berlin, the international competition where security researchers race to find and exploit vulnerabilities in widely used systems. Vendors routinely accelerate their release cycles ahead of the event to shrink the exposed surface. The unusually high volume of submissions this month likely also reflects the growing role of AI in vulnerability research, even if only in drafting the reports.

Here are the bugs that deserve immediate attention, followed by a broader list of the most significant flaws this month.

A critical flaw in the Windows DNS Client could let attackers remotely execute code by sending malicious DNS responses, without authentication or user interaction. Because the DNS client runs on nearly all Windows systems, attackers using rogue DNS servers or man-in-the-middle attacks could silently compromise large enterprise networks.

A critical Windows Netlogon flaw could let unauthenticated attackers remotely execute code on domain controllers using crafted network requests. The bug requires no credentials or user interaction and carries a CVSS score of 9.8. Because it is potentially wormable, a successful attack could compromise an entire Windows domain, making it one of the most urgent patches in the latest security updates.

A critical code injection flaw in Microsoft Dynamics 365 On-Premises received a rare CVSS score of 9.9. The vulnerability includes a scope change, meaning attackers could impact resources beyond the targeted component after successful exploitation. Because such flaws are uncommon and potentially severe, organizations running on-premises Dynamics 365 should prioritize patching immediately.

A use-after-free flaw in the Windows TCP/IP stack could theoretically allow unauthenticated remote code execution without user interaction, making it another potentially wormable issue. However, exploitation would require sustained memory pressure on the target system, which makes real-world attacks less likely. Microsoft also patched two Word vulnerabilities that can trigger simply through the Preview Pane, without users opening a malicious document. Security researchers say patching remains the most effective defense against these threats.

Below are the most Notable CVEs fixed with Microsoft Patch Tuesday for May 2026:

• CVE-2026-42898 (CVSS score of 9.9) — Microsoft Dynamics 365 On-Premises Remote Code Execution. Code injection with scope change; any authenticated user can break out and affect resources beyond the vulnerable component.
• CVE-2026-41089 (CVSS score of 9.8) — Windows Netlogon Remote Code Execution. Stack-based buffer overflow allowing unauthenticated RCE on domain controllers. Wormable. Patch immediately.
• CVE-2026-41096 (CVSS not disclosed) — Windows DNS Client Remote Code Execution. Heap overflow triggered by a malicious DNS response. No authentication or user interaction required. Enormous attack surface.
• CVE-2026-40415 (CVSS not disclosed) — Windows TCP/IP Remote Code Execution. Use-after-free in the TCP/IP stack; unauthenticated, no user interaction, technically wormable but requires rare memory pressure conditions.
• CVE-2026-41103 (CVSS Critical) — Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege. Incorrect implementation of the authentication algorithm; rated as exploitation more likely.
• CVE-2026-40364 (CVSS score of 8.4) — Microsoft Word Remote Code Execution. Type confusion bug; exploitable via Preview Pane without opening the document.
• CVE-2026-40361 (CVSS score of 8.4) — Microsoft Word Remote Code Execution. Use-after-free; same Preview Pane attack vector as above, no file interaction required.
• CVE-2026-41103 class (CVSS High) — Windows Remote Desktop, Windows Common Log File System Driver, Windows Kernel, Azure AI Foundry, Windows Win32k, Windows TCP/IP, Windows Cloud Files Mini Filter Driver — multiple privilege escalation issues across these components rated as exploitation more likely.

Among Microsoft’s 138 patches this month, the most urgent fixes are for Netlogon, the Windows DNS Client, Dynamics 365, and Microsoft Word vulnerabilities. Security experts recommend prioritizing these flaws due to their high impact and low user interaction requirements, while applying the remaining updates as quickly as possible through normal patch cycles.

The full list of CVEs addressed by Microsoft Patch Tuesday for May 2026 is available here.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Patch Tuesday)