Microsoft Fixes 137 Flaws Led by Netlogon, DNS Client, and Dynamics 365 RCEs
Microsoft released fixes for 137 vulnerabilities across Windows, Azure, Microsoft 365, developer tools, and AI-related products, with no zero-days reported as exploited in the wild. The most urgent issues included a wormable pre-auth remote code execution flaw in Windows Netlogon (CVE-2026-41089), an unauthenticated RCE in the Windows DNS Client (CVE-2026-41096) that can be triggered through crafted DNS responses, and a remote code execution bug in Microsoft Dynamics 365 on-premises (CVE-2026-42898). Microsoft also patched an authenticated SharePoint Server RCE (CVE-2026-40365), multiple Microsoft Word Preview Pane RCEs, and a critical authentication bypass in the Microsoft SSO Plugin for Jira & Confluence (CVE-2026-41103).
The release was notable for its severity, with reports citing 16 to 30 critical vulnerabilities depending on classification, and 14 flaws scoring 9.0 or higher, including an Azure DevOps information disclosure issue rated CVSS 10.0 that Microsoft said had already been fully mitigated. Elevation-of-privilege bugs made up the largest share of fixes, spanning the Windows kernel, Win32k, TCP/IP, SMB Client, Print Spooler, and other core components; two locally exploitable issues, including Windows Print Spooler (CVE-2026-34342) and Windows Message Queueing (CVE-2026-33838), were publicly disclosed alongside patches. Microsoft said its AI-driven bug-finding system MDASH identified 16 of the vulnerabilities, and it separately warned enterprises to complete Secure Boot certificate updates before June 26, 2026, while noting a BitLocker Recovery issue on some Windows Server 2025 systems with an unrecommended Group Policy setting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
11 events from the most recent confirmed update back to the earliest known activity.
Microsoft says MDASH found 16 May Patch Tuesday vulnerabilities
Microsoft disclosed that its AI-based MDASH bug-hunting system identified 16 of the vulnerabilities included in the May 2026 Patch Tuesday release.
Microsoft warns enterprises to update Secure Boot certificates by June 26
In conjunction with the May 2026 Patch Tuesday guidance, Microsoft reminded organizations of a deadline to apply Secure Boot certificate updates by June 26, 2026, and also noted a BitLocker Recovery issue affecting some Windows Server 2025 systems with an unrecommended Group Policy setting.
Microsoft highlights critical wormable and unauthenticated RCE risks
Coverage of the May 2026 release identified the most urgent patched issues as a wormable Windows Netlogon RCE affecting domain controllers, an unauthenticated Windows DNS Client RCE, and a Dynamics 365 on-premises RCE.
Public disclosure issued for Windows Print Spooler LPE
ZDI publicly disclosed CVE-2026-34342 on the same day Microsoft released a patch, describing a race condition in splwow64.exe that could let a low-privileged attacker escalate privileges.
Public disclosure issued for Windows Message Queueing LPE
ZDI publicly disclosed CVE-2026-33838 on the same day Microsoft released a fix, describing a double-free flaw in the mqac.sys driver that could lead to kernel-level code execution from low privileges.
Microsoft fully mitigates Azure DevOps information disclosure flaw
As part of the May 2026 release, Microsoft said it had already fully mitigated a CVSS 10.0 Azure DevOps information disclosure vulnerability before or at disclosure time.
Microsoft releases May 2026 Patch Tuesday updates
Microsoft issued its May 2026 Patch Tuesday security updates, fixing 137 vulnerabilities across Windows, Office, Azure, developer tools, AI products, and server components. Microsoft said no zero-days were publicly disclosed before release or known to be exploited in the wild.
Microsoft publishes Edge vulnerability advisories ahead of Patch Tuesday
Microsoft posted Security Update Guide entries for several Edge and Edge for Android issues, including CVE-2026-41107, CVE-2026-42891, CVE-2026-42838, and CVE-2026-35429.
Microsoft publishes advisory for Dynamics 365 Customer Insights flaw
Microsoft's Security Update Guide published CVE-2026-33821, an elevation of privilege vulnerability in Microsoft Dynamics 365 Customer Insights, ahead of the broader May Patch Tuesday release.
ZDI reports Windows Print Spooler LPE to Microsoft
Researcher Marcin Wiazowski reported CVE-2026-34342, a Windows Print Spooler local privilege escalation vulnerability, to Microsoft through ZDI.
ZDI reports Windows Message Queueing LPE to Microsoft
Zero Day Initiative reported CVE-2026-33838, a local privilege escalation flaw in Microsoft Windows Message Queueing, to Microsoft for coordinated disclosure.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
46 references tracked. Mallory keeps watching after this page renders.
Windows DNS Client Vulnerability Enables Remote Code Execution Attacks
cybersecuritynews.com
Open sourceMicrosoft Patch Tuesday - May 2026 - TheCyberThrone
thecyberthrone.in
Open sourceDoozy of a Patch Tuesday includes 30 critical Microsoft CVEs
theregister.com
Open sourcePatch Tuesday: May 2026 (Expel’s version) | Expel
expel.com
Open sourceCVE-2026-35429 - Security Update Guide - Microsoft - Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-33821 - Security Update Guide - Microsoft - Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceZDI-26-310 | Zero Day Initiative
zerodayinitiative.com
Open sourceZDI-26-309 | Zero Day Initiative
zerodayinitiative.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft fixes critical Windows DNS, Netlogon, SharePoint, and Dynamics flaws
Microsoft’s May 2026 Patch Tuesday resolved between **120 and 137 vulnerabilities** across Windows, Office, networking services, Hyper-V, SharePoint Server, and Microsoft Dynamics 365 on-premises, including **17 to 30 critical flaws**. Microsoft said the release contained **no publicly disclosed or actively exploited zero-days**, but multiple high-risk issues affected core enterprise infrastructure. Notable vulnerabilities included unauthenticated remote code execution in **Windows Netlogon** (`CVE-2026-41089`) and the **Windows DNS Client** (`CVE-2026-41096`), a **Hyper-V guest-to-host escape**, a SharePoint Server RCE (`CVE-2026-40365`), and a **Dynamics 365 on-premises** RCE (`CVE-2026-42898`) rated **CVSS 9.9**. The update also addressed Office and endpoint attack paths, including Microsoft Word flaws and `CVE-2026-35421`, which could allow code execution through malicious **EMF** files opened in Microsoft Paint via Windows GDI. Security researchers said organizations should prioritize patching **domain controllers**, **DNS-exposed Windows systems**, **on-premises collaboration platforms**, and **user endpoints** because of their exposure and likely exploitability. Alongside the security fixes, Microsoft issued mandatory Windows 11 cumulative updates **KB5089549** and **KB5087420** for versions **25H2, 24H2, and 23H2**, adding platform changes such as File Explorer, accessibility, storage, printing, and secure batch file processing improvements.
May 25, 2026
Microsoft Patches 137 Flaws, Highlighting Word Preview Pane and Netlogon RCE Risks
Microsoft released its May Patch Tuesday updates fixing 137 vulnerabilities across Windows, Office, Azure, Dynamics 365, SharePoint, Copilot, and other products, with no actively exploited zero-days or publicly disclosed flaws reported at release. The update included multiple high-severity remote code execution bugs, notably Microsoft Word flaws `CVE-2026-40361` and `CVE-2026-40364`, which can be triggered through the Preview Pane by sending a malicious document, as well as `CVE-2026-42898` in Microsoft Dynamics 365 On-Premises, `CVE-2026-42823` in Azure Logic Apps, and `CVE-2026-33109` in Azure Managed Instance for Apache Cassandra. Researchers also flagged `CVE-2026-41089` in Windows Netlogon and `CVE-2026-41096` in Windows DNS Client as especially urgent because they expose broadly deployed enterprise infrastructure to remote compromise. Microsoft’s Windows 11 cumulative updates, including `KB5089549` and `KB5087420`, delivered many of the security fixes alongside reliability and usability improvements, and Microsoft said it was not aware of new issues with the release. Coverage and advisories also showed the breadth of the month’s attack surface, with additional fixes for SharePoint Server remote code execution, Office Click-to-Run privilege escalation, Hyper-V guest-to-host escalation, Teams spoofing, Outlook for iOS tampering, and several Copilot and Visual Studio Code vulnerabilities. Security researchers said the growing volume of Microsoft disclosures may reflect increased AI-assisted vulnerability discovery, while defenders were urged to prioritize patching domain controllers, DNS-exposed Windows systems, Office deployments, and internet-facing enterprise applications.
May 25, 2026
Microsoft Patches 163 Flaws Including Exploited SharePoint Bug and Defender Zero-Day
Microsoft released fixes for **163 vulnerabilities** in its April Patch Tuesday update, marking one of its largest security releases on record. The bundle includes **8 Critical** flaws, **154 Important** issues, and **1 Moderate** bug, with seven of the Critical vulnerabilities enabling remote code execution across products and components including **Windows TCP/IP**, **Windows IKE Service Extensions**, **Active Directory**, **Remote Desktop Client**, **Microsoft Office**, and **Microsoft Word**. Belgian authorities urged organizations to apply the updates immediately. The most urgent issues include **`CVE-2026-32201`**, an actively exploited **Microsoft SharePoint Server** vulnerability that was added to CISA’s Known Exploited Vulnerabilities catalog, and **`CVE-2026-33825`** in **Microsoft Defender**, a publicly disclosed zero-day tied to proof-of-concept code associated with the **BlueHammer** exploit. Microsoft also shipped Windows 11 cumulative updates with security hardening changes, including safer handling of **`.rdp`** files and improved visibility into **Secure Boot** certificates, while the broader patch set addressed numerous elevation-of-privilege and security feature bypass flaws that could support post-compromise escalation.
Apr 22, 2026