Microsoft in the May Patch Tuesday 2026 closed 138 vulnerabilities in Windows and cloud services, including critical flaws in Windows DNS, Netlogon, Azure, Dynamics 365, and Entra ID, while at the same time announcing enforced rotation of Secure Boot certificates by June 26, 2026. Organizations with domain environments, Dynamics-based CRM, and active Azure usage must immediately plan a prioritized update, otherwise the risk of remote code execution and system boot disruption will grow faster than teams can keep up with patch deployment.

Technical details of Microsoft’s May release

According to the official Microsoft Security Response Center bulletin, the May release fixes 138 vulnerabilities: 30 critical, 104 important, 3 moderate, and 1 low severity. By type, elevation of privilege dominates (61 bugs), followed by remote code execution (32), information disclosure (15), spoofing (14), denial of service (8), security feature bypass (6), and tampering (2).

Critical RCE in Windows DNS: CVE-2026-41096

One of the most dangerous issues is CVE-2026-41096 (CVSS 9.8), a heap overflow in the Windows DNS component. The vulnerable DNS client incorrectly processes a specially crafted DNS response, which leads to memory corruption and may allow a remote attacker to execute arbitrary code without authentication over the network. Details are available in the MSRC entry for CVE-2026-41096.

The criticality here is not only in the high CVSS score: the DNS client is a core network component present on virtually every host. A specially crafted response can come from a compromised or malicious DNS server, as well as via network-layer attacks (traffic spoofing, abuse of internal resolvers). This is a typical entry point for initial compromise of an organization.

Netlogon under fire: CVE-2026-41089

CVE-2026-41089 (CVSS 9.8) is a stack overflow in Windows Netlogon. According to the MSRC description, an unauthenticated attacker can send a specially crafted network request to a Windows server acting as a domain controller and achieve remote code execution without prior access or logging into the system.

In this case the targeted service is located on domain controllers — the most valuable point in the infrastructure. Successful exploitation means potential full domain takeover, followed by lateral movement, tampering with Kerberos/Entra, and control over Group Policy and software deployment mechanisms.

Cloud perimeter: Azure, Entra, Teams, Logic Apps, Cloud Shell

A number of critical vulnerabilities directly affect cloud services and identity:

• CVE-2026-42826 (CVSS 10.0) — sensitive information disclosure in Azure DevOps. The vulnerability allows an unauthorized attacker to obtain data over the network. Microsoft has marked it as an issue for which no customer action is required to remediate, see the MSRC description.
• CVE-2026-33109 (CVSS 9.9) and CVE-2026-33844 (CVSS 9.0) — access control and input validation flaws in Azure Managed Instance for Apache Cassandra that allow an authenticated attacker to execute code remotely. They are flagged as not requiring customer action, see CVE-2026-33109 and CVE-2026-33844.
• CVE-2026-42823 (CVSS 9.9) — improper access control in Azure Logic Apps, allowing an authenticated user to escalate privileges over the network.
• CVE-2026-33823 (CVSS 9.6) — an authorization flaw in Microsoft Teams, resulting in information disclosure to an authenticated attacker.
• CVE-2026-35428 (CVSS 9.6) — command injection in Azure Cloud Shell, enabling an unauthorized attacker to perform spoofing over the network.
• CVE-2026-40379 (CVSS 9.3) — disclosure of confidential information and spoofing in Azure Entra ID.
• CVE-2026-33117 (CVSS 9.1) — authentication bypass in the Azure SDK, giving an unauthorized attacker the ability to bypass a security mechanism over the network.

Although for a number of cloud services Microsoft explicitly states “no customer action,” this does not remove the need to reassess the trust architecture: the vulnerabilities affect the confidentiality of development artifacts, secrets, identity data, and service tokens, which, if leaked, can be used beyond the directly vulnerable component.

Business‑critical applications: Dynamics 365 and SSO for Jira/Confluence

CVE-2026-42898 (CVSS 9.9) is a code injection issue in Microsoft Dynamics 365 (on-premises). According to researchers, the vulnerability allows an authenticated attacker with low privileges to execute arbitrary code remotely by manipulating session data of Dynamics CRM processes. Compromise of such a server effectively turns the business application into a remote code execution platform that may extend beyond its original trust boundaries.

CVE-2026-42833 (CVSS 9.1) affects the same product: execution with excessive privileges gives an authenticated attacker the ability to run code over the network and interact with applications and data of other tenants.

CVE-2026-41103 (CVSS 9.1) in the Microsoft SSO Plugin for Jira & Confluence deserves special attention. Due to an incorrect implementation of the authentication algorithm, an unauthorized attacker can forge credentials and log into Jira/Confluence as a legitimate user with their full set of rights. More details are available in the MSRC entry for CVE-2026-41103.

Hypervisor and client components: Hyper-V and others

CVE-2026-40402 (CVSS 9.3) is a use-after-free vulnerability in Windows Hyper-V, allowing an unauthorized attacker to gain SYSTEM-level privileges and access the host environment. For infrastructures with a high density of virtualization, this is a direct risk of virtual machine escape.

Additionally, Microsoft notes that the release also includes Edge browser fixes based on 127 Chromium vulnerabilities, described in the Microsoft Edge security documentation (Edge security release notes).

Hardware level: AMD Zen 2 (CVE-2025-54518)

The list of updates includes the vulnerability CVE-2025-54518 (CVSS 7.3), previously fixed by AMD. According to the AMD-SB-7052 bulletin, on Zen 2 processors, incorrect isolation of shared cache resources for operations may allow an attacker to influence instructions executed at another privilege level, which can potentially lead to privilege escalation. In practice, this means the need for synchronized microcode/firmware updates from the hardware vendor and software patches from Microsoft.

AI‑accelerated vulnerability discovery: the MDASH system

According to Microsoft, more than 500 CVEs have already been fixed in the first five months of 2026. In a separate report, the company notes that a significant share of new vulnerabilities is being found using artificial intelligence–based systems. In particular, 16 bugs in the Windows network and authentication stack this month were discovered by a new multi-model agent system called MDASH (multi-model agentic scanning harness), described on the Microsoft Security blog (details on MDASH).

The accompanying MSRC note on the May Patch Tuesday emphasizes that in this release the share of vulnerabilities found by Microsoft itself is higher than usual, largely thanks to MDASH and related analysis processes. The result is an accelerated pace of patch releases, especially in the network and authentication stack, and increased operational load on teams responsible for updates.

Impact assessment on infrastructure

The highest-risk organizations are those with the following characteristics:

• Extensive use of Active Directory with their own DNS servers and domain controllers: the combination of CVE-2026-41096 and CVE-2026-41089 creates a chain from initial access (via the DNS client) to full domain takeover (via Netlogon).
• Use of Dynamics 365 (on-premises) as a central CRM/ERP hub: a successful attack exploiting CVE-2026-42898 and CVE-2026-42833 implies the risk of leakage of customer data, business processes, financial information, and subsequent compromise of integrated systems (identity services, databases, external applications).
• Active use of Azure DevOps, Logic Apps, Managed Cassandra, Teams, Cloud Shell, Entra ID: in this case the focus is on the confidentiality of development artifacts, access tokens, and identity metadata. Even when “no customer action is required,” it is important to reassess the threat model: compromise of service data can be leveraged beyond the current incident.
• Organizations relying on SSO to Jira/Confluence via the Microsoft plugin: the CVE-2026-41103 vulnerability effectively allows bypassing the authentication layer and using Jira/Confluence as a foothold for moving through task chains, configuration repositories, and documents.
• Virtualization infrastructures based on Hyper-V: CVE-2026-40402 directly affects the “guest–host” boundary and raises the issue of segmenting workloads with different criticality levels.
• Organizations with a fleet of systems using Secure Boot with 2011 root certificates: according to experts, failing to update certificates by June 26, 2026 threatens “catastrophic boot-level failures” or a fallback to a reduced security mode.
• Use of the AMD Zen 2 hardware platform in environments with strict isolation requirements (multi-tenant systems, clouds, hosting): the CVE-2025-54518 vulnerability weakens privilege separation guarantees at the processor level.

If these issues are not remediated, the organization faces the risk of:

• remote compromise from a zero-perimeter position (DNS, Netlogon);
• compromise of supply chains and DevOps pipelines (Azure DevOps, Logic Apps, Cloud Shell);
• large-scale leakage of customer and financial data (Dynamics 365, Entra ID, Teams);
• undermined trust in boot mechanisms and platform integrity (Secure Boot, AMD Zen 2);
• a substantial increase in operational workload on operations teams due to the accelerated “discovery–patch” cycle driven by AI systems.

Practical response recommendations

Patch prioritization

Given network exposure and exploitation impact, it is reasonable to establish the following order of work:

1. Immediately update all supported Windows versions, especially:
   • hosts acting as DNS clients/servers (CVE-2026-41096);
   • all Active Directory domain controllers (CVE-2026-41089);
   • Hyper-V hosts (CVE-2026-40402).
2. Deploy updates for Dynamics 365 (on-premises) that remediate CVE-2026-42898 and CVE-2026-42833, with preliminary testing in a staging environment due to the CRM’s deep integration with external systems.
3. Update or reinstall the Microsoft SSO Plugin for Jira & Confluence that includes the CVE-2026-41103 fix, and analyze logs for suspicious login activity.
4. Check update status in Azure:
   • ensure that subscriptions and resources are not blocked from automatic application of updates for Azure DevOps, Logic Apps, Managed Cassandra, Teams, Cloud Shell, and Entra ID;
   • reassess privileges for service accounts and tokens, even where “no customer action is required.”
5. Arrange updating of the Microsoft Edge browser to the latest version to include fixes for 127 Chromium vulnerabilities listed in the Edge security documentation.
6. Coordinate deployment of microcode for AMD Zen 2 with hardware vendors in line with the AMD-SB-7052 bulletin and ensure the operating system is using the updated microcode.

Secure Boot certificate rotation

By June 26, 2026, organizations must:

• identify all devices that rely on 2011-era Secure Boot certificates (via BIOS/UEFI inventory and Windows boot policies);
• deploy Windows updates that include the new 2023 certificates, as described in the MSRC note on this release (Microsoft’s Patch Tuesday commentary);
• where necessary, update UEFI firmware on servers and workstations if the vendor provides separate key rotation packages;
• test boot scenarios on a pilot group of various device models before mass rollout to minimize the risk of outages.

Identifying vulnerable systems and hardening configuration

To assess exposure and reduce the attack surface:

• use update management systems (WSUS, Microsoft Endpoint Configuration Manager, and equivalents) to generate reports on the status of May patches on:
  • domain controllers;
  • Hyper-V hosts;
  • servers with Dynamics 365 (on-premises) installed;
  • hosts with the SSO plugin for Jira/Confluence installed.
• restrict network exposure of Netlogon and DNS server services to only the necessary segments (firewalls, access control lists).
• review Entra ID settings and related applications:
  • disable legacy authentication methods;
  • enable multi-factor authentication for all administrative and high-risk accounts;
  • reassess delegated permissions for applications and service principals.
• strengthen segmentation of virtual machines on Hyper-V, separating critical and non-critical workloads, and limit access to hypervisor management.

Finally, given the growing patch volume driven by AI systems like MDASH, it makes sense to formalize an update cadence based on impact and exposure, rather than on the number of CVEs fixed: prioritize updating systems that are accessible over the network without authentication (DNS, Netlogon, Hyper-V, internet-exposed Azure services) and nodes with the highest concentration of valuable data (Dynamics 365, Entra ID), while in parallel planning Secure Boot certificate rotation ahead of the hard deadline of June 26, 2026.