Summaries

May 2026 Patch Tuesday: 130 CVEs Including Azure DevOps Critical, Netlogon RCE, and DNS Client Overflow

Microsoft's May 2026 Patch Tuesday addresses 130 vulnerabilities, including 30 Critical — headlined by a CVSS 10.0 Azure DevOps information disclosure, a CVSS 9.8 Windows Netlogon RCE, and a CVSS 9.8 Windows DNS Client heap buffer overflow.

View on Graph

Summary

Microsoft’s May 2026 Patch Tuesday release addresses 130 vulnerabilities, down from April’s 164. The release includes 30 Critical-rated patches and 100 of varying severity. Elevation of privilege vulnerabilities lead the risk profile with 61 patches (47%), followed by remote code execution with 31 patches (24%), and information disclosure at 15 (11%). Windows received the most fixes with 66, followed by Office with 24 and Azure with 16.

The most severe vulnerability is CVE-2026-42826, a Critical information disclosure affecting Azure DevOps with a CVSS score of 10.0 — the maximum severity. The vulnerability allows unauthenticated remote attackers to disclose sensitive information through an exposure of sensitive information flaw. Microsoft has proactively remediated this within its cloud infrastructure without requiring customer action.

Several other critical vulnerabilities demand customer attention. CVE-2026-41089 is a Critical RCE in Windows Netlogon (CVSS 9.8) — a stack-based buffer overflow allowing unauthenticated remote code execution via specially crafted network requests to domain controllers. CVE-2026-41096 is a Critical RCE in the Windows DNS Client (CVSS 9.8) — a heap-based buffer overflow triggered by malicious DNS responses. CVE-2026-42898 is a Critical RCE in Dynamics 365 On-Premises (CVSS 9.9) — a code injection flaw allowing authenticated remote code execution. CVE-2026-40402 is a Critical Hyper-V elevation of privilege (CVSS 9.3) — a use-after-free flaw allowing guest VMs to escape to the host.

Why It Matters

This Patch Tuesday requires active deployment for multiple Critical vulnerabilities affecting core Windows services. The Netlogon and DNS Client flaws are particularly concerning because they allow unauthenticated remote code execution with low attack complexity — the type of vulnerabilities that ransomware operators and nation-state actors weaponize rapidly. The Hyper-V escape vulnerability creates risk for virtualized environments where tenant isolation is critical.

Defender Takeaways

  • Apply the Windows Netlogon patch (CVE-2026-41089) as highest priority on domain controllers — unauthenticated RCE with no user interaction required.
  • Patch Windows DNS Client (CVE-2026-41096) across all workstations and servers; while exploitation requires a man-in-the-middle position, DNS spoofing attack scenarios are well-established.
  • Update Dynamics 365 On-Premises (CVE-2026-42898) if deployed in your environment; this authenticated RCE can be exploited without user interaction.
  • Apply Hyper-V host patches (CVE-2026-40402) for virtualization environments; guest-to-host escape vulnerabilities represent a full security boundary breach.
  • Review Azure infrastructure — the Azure DevOps and Azure Managed Instance for Apache Cassandra vulnerabilities were remediated at the cloud layer but verify with your tenant status.
  • Plan for the full patch deployment cycle prioritizing the 11 Critical CVEs requiring customer action before addressing the remaining 100+ patches.

Source

Title: May 2026 Patch Tuesday: Updates and Analysis — CrowdStrike
URL: https://www.crowdstrike.com/en-us/blog/patch-tuesday-analysis-may-2026/