Full Report
The good news: no 0-days. The bad news: busy week ahead for Microsoft admins
Analysis Summary
Based on the May 2026 Patch Tuesday report, here is the summary of the most critical vulnerabilities identified.
# Vulnerability: May 2026 Microsoft Patch Tuesday Critical RCEs
Microsoft released 137 CVEs this month. While no zero-days were reported, 30 vulnerabilities are rated **Critical**, with 14 scoring 9.0 or higher. Many were discovered using Microsoft’s new AI bug-hunting system, MDASH.
---
## CVE Details
- **CVE ID:** CVE-2026-41096
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Heap-based Buffer Overflow
## Affected Systems
- **Products:** Windows DNS Client
- **Versions:** Virtually all supported Windows versions (endpoints and servers).
- **Configurations:** Systems configured to resolve DNS queries (default behavior).
## Vulnerability Description
A heap-based buffer overflow exists in the Windows DNS Client. An attacker can send a specially crafted DNS response to a vulnerable system, leading to memory corruption and remote code execution (RCE).
## Exploitation
- **Status:** Not exploited in the wild (as of report date); PoC not publicly disclosed.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
---
## CVE Details
- **CVE ID:** CVE-2026-41089
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Stack-based Buffer Overflow
## Affected Systems
- **Products:** Windows Netlogon
- **Versions:** Windows Server (acting as Domain Controllers).
- **Configurations:** Domain Controller role enabled.
## Vulnerability Description
A stack-based buffer overflow in the Netlogon service allows an unauthenticated attacker to execute code by sending a crafted network request to a Domain Controller. This is considered **wormable** as it requires no user interaction or credentials.
## Exploitation
- **Status:** Not exploited in the wild.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full domain compromise)
- **Integrity:** High
- **Availability:** High
---
## CVE Details
- **CVE ID:** CVE-2026-42898
- **CVSS Score:** 9.9 (Critical)
- **CWE:** Improper Input Validation (Scope Change)
## Affected Systems
- **Products:** Microsoft Dynamics 365
- **Versions:** On-premises versions of Dynamics CRM/365.
- **Configurations:** Requires any authenticated user permission (non-admin).
## Vulnerability Description
An attacker with basic user permissions can modify the saved state of a process session. When the system processes this malicious data, it executes code with elevated privileges. This vulnerability involves a **Scope Change**, meaning the attacker can move beyond the Dynamics environment into the underlying server/infrastructure.
## Exploitation
- **Status:** Not exploited in the wild.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
---
## Remediation
### Patches
- Apply the **May 2026 Security Updates** via Windows Update or Windows Server Update Services (WSWS).
- Priority should be given to Domain Controllers (CVE-2026-41089) and Microsoft Dynamics 365 On-Premises (CVE-2026-42898).
### Workarounds
- **For Azure DevOps (CVE-2026-42826):** No action required; Microsoft has mitigated this on the service side.
- **General:** Restrict DNS traffic to trusted recursive resolvers and use network segmentation to protect Domain Controllers.
## Detection
- **Indicators of Compromise:** Monitor for unusual outbound DNS traffic or crashes in the `dnsapi.dll` or Netlogon services.
- **Detection methods:** Use vulnerability scanners to identify missing May 2026 patches. Monitor Domain Controllers for unauthorized RPC calls to the Netlogon interface.
## References
- **Microsoft Security Update Guide:** hxxps[://]msrc[.]microsoft[.]com/update-guide/releaseNote/2026-May
- **ZDI Blog:** hxxps[://]www[.]zerodayinitiative[.]com/blog/2026/5/12/the-may-2026-security-update-review
- **MSRC Blog:** hxxps[://]www[.]microsoft[.]com/en-us/msrc/blog/2026/05/a-note-on-patch-tuesday