Microsoft released fixes for 137 CVEs on Tuesday — 30 of them rated critical and 14 scoring 9.0 or higher on the CVSS scale, including one perfect 10.0 — a surge Redmond says is partly driven by AI-powered bug finding and that, in Microsoft’s words, “we expect releases to continue trending larger for some time.”
Microsoft’s May release: scale, severity, and the immediate imperative
Redmond pushed out patches for 137 vulnerabilities, none of which Microsoft says are known to have been targeted in the wild. Still, the company rated 30 flaws as critical and flagged 14 with CVSS scores of 9.0 or above. Tom Gallagher, vice president of engineering at the Microsoft Security Response Center, said in a note on this month’s Patch Tuesday that “this month's release sits on the larger side of a hotpatch month, and we expect releases to continue trending larger for some time.” The combination of size and several high-severity remote code execution (RCE) bugs makes prompt testing and deployment a priority for administrators.
MDASH: Microsoft’s AI bug-hunting system goes public-ish
Microsoft disclosed that an internal AI-driven bug-hunting system, codenamed MDASH, found 16 of the vulnerabilities addressed in this release. Redmond also said it is making MDASH available to a limited number of customers in private preview, positioning the tool alongside others such as Anthropic’s Mythos and Project Glasswing. The company framed the disclosure as part of why this month’s slate of fixes is larger than usual: more automated discovery means more flaws to patch.
CVE-2026-41096 — Windows DNS Client (9.8): heap-based overflow, unauthenticated RCE
CVE-2026-41096 is a 9.8-rated remote code execution bug in the Windows DNS Client caused by a heap-based buffer overflow. According to Microsoft, exploitation is “unlikely,” but the flaw requires no authentication or user interaction: a specially crafted DNS response sent to a vulnerable system can cause memory corruption and allow code execution. Dustin Childs of the Zero Day Initiative warned that “since the DNS Client runs on virtually every Windows machine, the attack surface is enormous,” and added that “an attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise.” The Register’s coverage recommended immediate patching; Action1 vulnerability research director Jack Bicer told The Register, “This CVE requires immediate attention,” and warned that “successful attacks may lead to widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption across corporate networks.”
CVE-2026-41089 and CVE-2026-42898 — Netlogon and Dynamics 365 on-premises (9.8, 9.9)
The release includes another 9.8-rated RCE, CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon. Microsoft’s bulletin describes exploitation by an unauthenticated, remote attacker who can send a specially crafted network request to a Windows server acting as a domain controller. Childs emphasized the risk, calling it “the highest-impact bug that requires immediate patching: a compromised domain controller is a compromised domain.”
CVE-2026-42898 targets Microsoft Dynamics 365 on-premises and carries a near-perfect 9.9 rating. That vulnerability allows any authenticated user — not requiring admin privileges — to modify a saved state of a process session in Dynamics CRM and cause the system to process that data, possibly triggering server-side execution of malicious code. Microsoft notes the flaw can lead to a scope change, extending impact beyond the originally vulnerable component, and Childs urged that organizations running Dynamics 365 On-Prem “definitely test and deploy this patch quickly.”
Azure DevOps disclosure (CVE-2026-42826): mitigated by Microsoft, no customer action
One CVE in this set scored a perfect 10.0 — CVE-2026-42826 — but Microsoft says it is an information disclosure issue in Azure DevOps that has “already been fully mitigated by Microsoft.” The company stated explicitly that “there is no action for users of this service to take. The purpose of this CVE is to provide further transparency.”
What this means for Windows administrators, Dynamics 365 operators, and Azure DevOps users
- Windows administrators: Prioritize the Netlogon and DNS Client fixes. The Netlogon flaw can be exploited without credentials against domain controllers; the DNS Client issue affects virtually every Windows endpoint and can be triggered by a crafted DNS response.
- Dynamics 365 on-premises operators: Treat CVE-2026-42898 as high priority. The vulnerability permits an authenticated user to trigger server-side code execution and may cause a scope change — test and deploy the patch quickly, per Dustin Childs’ guidance.
- Azure DevOps users: Microsoft reports the 10.0-rated information disclosure flaw has been fully mitigated by the vendor; customers of the hosted service do not need to take action.
Microsoft’s disclosure ties the spike in high-severity bugs to greater use of AI in vulnerability discovery — and the company warns that larger Patch Tuesdays are likely to continue. For defenders that means more urgent patch testing and deployment cycles; for administrators it means a heavier workload now, with particular attention warranted for Netlogon, the Windows DNS Client, and on-premises Dynamics 365 installations.
