top of page

Microsoft's May 2026 Patch Tuesday Fixes 138 Bugs, Some Alarming

  • May 13
  • 4 min read

Key Findings


  • Microsoft's May 2026 Patch Tuesday addressed 138 vulnerabilities across its entire product portfolio, including 30 critical flaws

  • 16 of the patched vulnerabilities were discovered by Microsoft's new MDASH AI system, marking a significant shift in how security threats are identified

  • Four of the AI-discovered flaws are critical remote code execution bugs in Windows

  • No vulnerabilities were publicly disclosed or actively exploited at time of release

  • The release coincides with preparations for Pwn2Own Berlin security competition

  • Notable critical flaws include Windows DNS Client, Windows Netlogon, and Microsoft Dynamics 365 vulnerabilities with CVSS scores as high as 9.9


Background


Microsoft continues its monthly patching cycle with May 2026 representing a particularly significant month for the company's security operations. The sheer volume of fixes—138 vulnerabilities—reflects both the expanding Microsoft ecosystem and growing sophistication in vulnerability discovery methods. The timing ahead of Pwn2Own Berlin suggests vendors are accelerating releases to reduce their exposure window before security researchers converge on the competition. What makes this month unusual is the explicit role AI played in finding nearly a dozen of these bugs, signaling a fundamental shift in how organizations approach vulnerability research.


The AI Discovery Breakthrough


Microsoft's new MDASH system represents a departure from traditional security research. The multi-model agentic scanning harness orchestrates over 100 specialized AI agents, each assigned specific roles like auditor, debater, deduplicator, or prover. The system is deliberately adversarial—when one agent flags suspicious code, another argues against it, and findings only advance if they survive this cross-examination. This design kills false positives before they waste human engineer time. Microsoft's CEO Satya Nadella highlighted that MDASH delivered top performance on the CyberGym benchmark, and the company is now offering private preview access to customers. The discovery of 16 vulnerabilities through AI suggests this approach scales beyond what human-only teams can accomplish.


The Most Alarming Flaws


Several vulnerabilities demand immediate attention from administrators. The Windows Netlogon flaw carries a CVSS score of 9.8 and could allow unauthenticated attackers to remotely execute code on domain controllers through crafted network requests. Because it requires no credentials or user interaction and is potentially wormable, a successful attack could compromise an entire Windows domain. The Windows DNS Client vulnerability allows remote code execution through malicious DNS responses without authentication or user interaction. With the DNS client running on nearly all Windows systems, attackers using rogue DNS servers or man-in-the-middle attacks could silently compromise large enterprise networks.


Microsoft Dynamics 365 On-Premises received the highest CVSS score at 9.9 for a code injection flaw that includes a scope change, meaning attackers could impact resources beyond the targeted component. The TCP/IP stack use-after-free flaw is technically wormable, though real-world exploitation would require sustained memory pressure on target systems, making attacks less likely in practice. Two Word vulnerabilities can trigger through the Preview Pane without users opening malicious documents, expanding the attack surface for office-based threats.


Critical CVEs Requiring Immediate Patching


CVE-2026-42898 represents a critical code injection vulnerability in Microsoft Dynamics 365 with a CVSS score of 9.9, allowing authenticated users to break out and affect resources beyond the vulnerable component. CVE-2026-41089 is the Windows Netlogon stack-based buffer overflow enabling unauthenticated remote code execution on domain controllers with a wormable classification. CVE-2026-41096 affects the Windows DNS Client through heap overflow triggered by malicious DNS responses with no authentication or user interaction required. CVE-2026-40415 is the TCP/IP use-after-free vulnerability technically wormable but requiring rare memory pressure conditions. CVE-2026-41103 impacts the Microsoft SSO Plugin for Jira and Confluence through incorrect authentication algorithm implementation rated as exploitation likely.


Word and Office Threats


Microsoft Word received attention with CVE-2026-40364 and CVE-2026-40361, both rated at CVSS 8.4 and exploitable through the Preview Pane without opening documents. The first involves type confusion bugs while the second uses a use-after-free vulnerability. The Preview Pane attack vector is particularly concerning because it bypasses the traditional requirement for users to open a malicious document. Security researchers emphasize that patching remains the most effective defense against these threats.


Broader Privilege Escalation Issues


Multiple privilege escalation vulnerabilities were addressed across Windows components rated as exploitation likely. These affect Remote Desktop, the Common Log File System Driver, the Windows Kernel, Azure AI Foundry, Win32k, TCP/IP, and the Cloud Files Mini Filter Driver. While not individually reaching critical severity levels, the scope of privilege escalation issues across core system components represents a systemic security hardening effort by Microsoft.


What This Means for Organizations


The absence of zero-days or actively exploited vulnerabilities at release time provides a narrow window for organizations to prioritize patching. However, with 30 critical flaws and multiple wormable vulnerabilities, this cannot be treated as a routine maintenance cycle. The Netlogon and DNS Client flaws should be patched first, followed by Dynamics 365 if your organization uses that platform. The emergence of AI-driven vulnerability discovery also signals that traditional security research approaches are evolving, and organizations should expect both higher discovery rates and different vulnerability profiles going forward. Microsoft's MDASH system availability in private preview suggests this is becoming a competitive advantage for discovering threats before attackers do.


Sources


  • https://securityaffairs.com/192086/uncategorized/microsoft-patch-tuesday-for-may-2026-fix-138-bugs-some-of-them-are-alarming.html

  • https://www.cyberkendra.com/2026/05/microsofts-ai-just-found-16-windows.html

  • https://www.darkreading.com/application-security/patch-tuesday-microsoft-zero-day-sight

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page