Microsoft Patches 137 Vulnerabilities in May 2026 Update, Breaking 22-Month Zero-Day Streak

Executive Summary

Microsoft has released its May 2026 security updates, addressing a total of 137 vulnerabilities across its product portfolio. This extensive release is highlighted by two key facts: first, it is one of the largest updates of the year, featuring patches for 30 critical vulnerabilities. Second, it marks the first Patch Tuesday in 22 months that does not contain a fix for either a publicly disclosed or actively exploited zero-day vulnerability. Despite the lack of zero-days, the sheer volume and criticality of the patched flaws demand immediate attention from administrators. The most severe vulnerabilities include a critical Remote Code Execution (RCE) in the Windows Netlogon service (CVE-2026-41089) and another in the Windows DNS Client (CVE-2026-41096), both rated 9.8 on the CVSS scale.

Vulnerabilities Addressed

This month's update addresses 137 flaws, broken down by type:

• 61 Elevation of Privilege (EoP) vulnerabilities
• 31 Remote Code Execution (RCE) vulnerabilities
• 14 Information Disclosure vulnerabilities
• 8 Denial of Service (DoS) vulnerabilities
• 13 Spoofing vulnerabilities

Critical Vulnerabilities of Note:

• CVE-2026-41089 - Windows Netlogon Remote Code Execution Vulnerability (CVSS 9.8): This is arguably the most critical vulnerability this month. An unauthenticated attacker on the same network can send a specially crafted request to a domain controller, potentially achieving remote code execution with SYSTEM privileges. This is highly wormable within an enterprise environment.

• CVE-2026-41096 - Windows DNS Client Remote Code Execution Vulnerability (CVSS 9.8): This vulnerability allows an attacker who controls a malicious DNS server to execute code on a client machine that sends it a query. This could be triggered by a user simply browsing to a malicious website or opening a malicious email, making it a dangerous client-side vulnerability.

• CVE-2026-42826 - Azure DevOps Information Disclosure Vulnerability (CVSS 10.0): While an information disclosure bug, its perfect CVSS score indicates it could reveal highly sensitive secrets or credentials, leading to a full compromise.

• CVE-2026-42898 - Dynamics 365 On-Premises Remote Code Execution Vulnerability (CVSS 9.9): A critical flaw affecting on-premise deployments of Microsoft's business application suite.

• CVE-2026-40361 & CVE-2026-40464 - Microsoft Word Remote Code Execution Vulnerabilities (CVSS 8.4): Both of these can be exploited via the Preview Pane in Outlook, meaning an attacker can achieve RCE without the user even opening the malicious document, just by receiving and selecting the email.

Affected Products

The vulnerabilities impact a wide range of Microsoft products, including but not limited to:

• Microsoft Windows (all supported versions)
• Microsoft Office and Microsoft 365 Apps
• Microsoft Azure and Azure DevOps
• Microsoft Dynamics 365
• Microsoft SharePoint Server
• Windows Netlogon
• Windows DNS Client

Impact Assessment

While there are no active exploits reported yet, vulnerabilities in core components like Netlogon and DNS are prime targets for reverse engineering and weaponization by threat actors. The Netlogon flaw, in particular, has echoes of past critical vulnerabilities like Zerologon and poses a significant risk to enterprise domain controllers, the keys to the kingdom for most organizations. The Word RCEs that trigger on preview are also highly dangerous, as they remove the user-click requirement that often thwarts phishing campaigns. Organizations should treat this patch cycle with high urgency due to the potential for widespread and severe impact once exploits become available.

Cyber Observables — Hunting Hints

The following patterns could help identify unpatched systems or active exploitation:

• Netlogon (CVE-2026-41089): Monitor domain controller logs for malformed or unusual Netlogon Remote Procedure Call (RPC) traffic. Look for an increase in authentication failures or unexpected SYSTEM-level processes spawning on domain controllers.
• DNS Client (CVE-2026-41096): On endpoints, monitor DNS query responses for unusually large or malformed records. Monitor for processes like svchost.exe (hosting the DNS client service) spawning unexpected child processes like cmd.exe or powershell.exe after making DNS queries.
• Word RCEs: Monitor EDR logs for Microsoft Word (winword.exe) or Outlook (outlook.exe) processes spawning suspicious child processes, especially command-line utilities or scripts.

Installation Instructions

Microsoft has released security updates for all affected products. These updates are available via standard channels:

1. Windows Update: Most end-users and many servers will receive the updates automatically.
2. Windows Server Update Services (WSUS): For enterprise environments, approve and deploy the updates.
3. Microsoft Update Catalog: Updates can be manually downloaded and installed.

Deployment Priority:

1. Domain Controllers: Patch CVE-2026-41089 immediately. These are the most critical assets at risk.
2. Internet-Facing Systems: Any systems exposed to the internet should be patched with high priority.
3. Workstations: Due to the client-side DNS and Word RCEs, all workstations should be patched urgently. It is recommended to test the patches in a pilot group before broad deployment to check for any operational issues.