13.05.2026
4 min
165
Microsoft released a massive Patch Tuesday update that fixed 138 vulnerabilities in Windows, Office, and other company products. Among them were several critical zero-day bugs that hackers had already used in real-world attacks before the patches were released.
Microsoft recently issued their May Patch Tuesday update — an update that patched a total of 138 bugs in Windows, Azure, Office, Teams, Dynamics 365 and many other Microsoft products. Included among those 138 bug fixes are dozens of high-priority vulnerabilities to include remote code execution and privilege escalation.
In addition, Microsoft reported that there are none (at least none they know of) of the vulnerabilities included with this month’s patch that have been exploited by attackers prior to the release of these patches. The size of this month’s update is also quite large as it has been so far this year.
Of the 138 fixed bugs:
30 received the status of Critical;
104 were classified as Important;
3 were Moderate;
1 was marked as Low.
Most of the vulnerabilities that were remedied by Microsoft were Elevation of Privilege (EOP) type. Microsoft resolved 61 of the total EOP-type vulnerabilities. In addition to resolving EOP-type vulnerabilities, Microsoft resolved 32 Remote Code Execution (RCE), 15 Information Disclosure, 14 Spoofing, 8 Denial-of-Service (DoS), 6 Bypass-type, and 2 Tampering-type vulnerabilities.
In addition to the above noted vulnerability list, Microsoft separately identified CVE-2025-54518, which AMD recently issued patches for. This particular vulnerability can be exploited on Zen 2 Processors, and it may corrupt instruction executions of a lower privilege level. Potentially, exploitation may lead to Elevation of Privilege.
Also included within the updated patches are resolutions for 127 types of Chromium-based vulnerabilities since Chromium is used in the Microsoft Edge Browser.
Perhaps one of the most problematic issues addressed with this patch set was CVE-2026-41096 in Windows DNS. This vulnerability has been rated a CVSS of 9.8, and it enables RCE through specially created DNS responses.
According to Microsoft, an attacker may send a maliciously-created DNS Response to a Windows System containing a DNS Server Vulnerability; upon receipt of such a response, the Windows System will experience Memory Corruption; and if properly configured, the attack vector does not require Authentication to execute Code on the affected System.
Among other critical bugs, the company identified:
CVE-2026-42826 (CVSS score: 10.0) – An exposure of sensitive information to an unauthorized actor in Azure DevOps that allows an unauthorized attacker to disclose information over a network. (Requires no customer action)
CVE-2026-33109 (CVSS score: 9.9) – An improper access control in Azure Managed Instance for Apache Cassandra that allows an authorized attacker to execute code over a network. (Requires no customer action)
CVE-2026-42898 (CVSS score: 9.9) – A code injection vulnerability in Microsoft Dynamics 365 (on-premises) that allows an authorized attacker to execute code over a network.
CVE-2026-42823 (CVSS score: 9.9) – An improper access control in Azure Logic Apps that allows an authorized attacker to elevate privileges over a network.
CVE-2026-41089 (CVSS score: 9.8) – A stack-based buffer overflow in Windows Netlogon that allows an unauthorized attacker to execute code over a network without needing to sign in or have prior access by sending a specially crafted network request to a Windows server that is acting as a domain controller.
CVE-2026-33823 (CVSS score: 9.6) – An improper authorization in Microsoft Teams that allows an authorized attacker to disclose information over a network. (Requires no customer action)
CVE-2026-35428 (CVSS score: 9.6) – A command injection vulnerability in Azure Cloud Shell that allows an unauthorized attacker to perform spoofing over a network. (Requires no customer action)
CVE-2026-40379 (CVSS score: 9.3) – An exposure of sensitive information to an unauthorized actor in Azure Entra ID that allows an unauthorized attacker to perform spoofing over a network. (Requires no customer action)
CVE-2026-40402 (CVSS score: 9.3) – A user-after-free in Windows Hyper-V that allows an unauthorized attacker to gain SYSTEM privileges and access the Hyper-V host environment.
CVE-2026-41103 (CVSS score: 9.1) – An incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence that allows an unauthorized attacker to gain unauthorized access to Jira or Confluence as a valid user and perform actions with the same permissions as the compromised account.
CVE-2026-33117 (CVSS score: 9.1) – An improper authentication in Azure SDK that allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-42833 (CVSS score: 9.1) – An execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises) that allows an authorized attacker to execute code over a network and gain the ability to interact with other tenant’s applications and content.
CVE-2026-33844 (CVSS score: 9.0) – An improper input validation in Azure Managed Instance for Apache Cassandra that allows an authorized attacker to execute code over a network. (Requires no customer action)
Researchers at Rapid7 are focusing on CVE-2026-41103. In their view, it is possible to create fake credentials and therefore impersonate a legal user through this bug while bypassing Entra ID.
According to Action1, CVE-2026-42898, in Dynamics 365, is one of the biggest threats in the current release. Researcher Jack Biser said that a user does not need to have administrative rights in order to run arbitrary code within a company’s business systems using these bugs.
Biser said a successful attack against Dynamics 365 would result in loss of confidentiality of customer data; or the unauthorized disclosure of sensitive information about customers; as well as the potential integration of compromised corporate systems into other parts of the enterprise.
In addition to warning users to update Secure Boot certificates to 2023 (the version currently being used), Microsoft announced that certificates issued prior to 2011 will expire on June 26, 2026. If an administrator fails to do so, Nightwing stated that catastrophic failure related to boot level security and failing to start a system could occur.
Microsoft reported that they developed new software called MDASH utilizing Artificial Intelligence in order to identify vulnerabilities in both Windows Authentication Mechanisms and Networking Stack. Using this AI based program allowed them to find 16 new bugs.
Microsoft indicated that the ability to utilize AI dramatically increased the speed of finding bugs; and that the number of patches released each month under the Patch Tuesday initiative may grow in the next few months.
