"The most critical non-CVE update involves the mandatory rollout of updated Secure Boot certificates," Rain Baker, senior incident response specialist at Nightwing, said.
CVE-2026-41096: a network-exploitable DNS heap overflow
Microsoft released patches on Tuesday covering 138 security vulnerabilities across its product portfolio. Among the most severe is CVE-2026-41096 (CVSS score: 9.8), a heap-based buffer overflow in Windows DNS that "could allow an unauthorized attacker to execute code over a network," Microsoft said. The company described the exploit path precisely: an attacker can send a specially crafted DNS response that the DNS Client improperly processes, corrupting memory and, in certain configurations, permitting remote code execution without authentication.
Netlogon, Hyper‑V and other high-severity system flaws
The updates include multiple flaws with near–critical scores. CVE-2026-41089 (CVSS score: 9.8) is a stack-based buffer overflow in Windows Netlogon that allows an unauthorized attacker to execute code over a network without signing in by sending a specially crafted network request to a Windows server acting as a domain controller. CVE-2026-40402 (CVSS score: 9.3) is a user-after-free in Windows Hyper‑V that permits an unauthorized attacker to gain SYSTEM privileges and access the Hyper‑V host environment. Microsoft classified 30 of the 138 flaws as Critical and 104 as Important; among the whole set, 61 were privilege‑escalation bugs and 32 were remote code execution vulnerabilities.
Azure, Dynamics 365, Teams and cloud service implications
Cloud and enterprise services figure prominently in the list. Microsoft patched multiple Critical- and Important-rated issues including:
- CVE-2026-42826 (CVSS 10.0) — sensitive information exposure in Azure DevOps (requires no customer action).
- CVE-2026-33109 (CVSS 9.9) — improper access control in Azure Managed Instance for Apache Cassandra allowing an authorized attacker to execute code over a network (requires no customer action).
- CVE-2026-42898 (CVSS 9.9) — code injection in Microsoft Dynamics 365 (on‑premises) enabling an authorized attacker to execute code over a network.
- CVE-2026-42823 (CVSS 9.9) — improper access control in Azure Logic Apps enabling privilege elevation over a network.
- CVE-2026-33823 (CVSS 9.6) — improper authorization in Microsoft Teams allowing an authorized attacker to disclose information (requires no customer action).
Security researchers emphasized operational risk. Jack Bicer, director of vulnerability research at Action1, said CVE-2026-42898 "allows an authenticated attacker with low privileges to run arbitrary code over the network by manipulating process session data within Dynamics CRM" and warned the flaw could turn a business application server into "a remote execution platform." Adam Barnett, lead software engineer at Rapid7, highlighted CVE-2026-41103 (an authentication implementation error in Microsoft SSO Plugin for Jira & Confluence) as a privilege-elevation vulnerability that "allows an unauthorized attacker to impersonate an existing user by presenting forged credentials, thus bypassing Entra ID."
MDASH and the rise of AI-assisted discovery
Microsoft noted that the pace and scale of discovery are changing. In a Tuesday report the company said 16 of the flaws fixed this month in its Windows networking and authentication stack were identified through a new multi‑model AI-driven vulnerability discovery system codenamed MDASH. Tom Gallagher, vice president of engineering at Microsoft Security Response Center, said "in this month's release, a greater share of the issues addressed were discovered by Microsoft, compared to prior months," and that many were surfaced "through AI investments and investigations across our engineering and research teams, including the use of Microsoft's new multi-model AI-driven scanning harness."
Microsoft also cautioned that AI-driven discovery raises operational demands and requires disciplined risk management. "Stay current on supported operating systems, products, and patches, and revisit the speed and consistency of your patching cadence," Gallagher said, advising teams to "triage by exposure and impact, not raw count." Satnam Narang, senior staff research engineer at Tenable, placed the update in broader context, noting Microsoft has already patched over 500 CVEs five months into the year and that "a chunk" of recent discoveries have been flagged via AI-powered approaches.
Secure Boot certificate rollover and practical deadlines
Beyond CVEs, Microsoft is pushing an operational change tied to boot‑level trust. Devices must update Windows Secure Boot certificates to their 2023 counterparts ahead of a June 26, 2026 deadline; the older certificates were issued in 2011 and are set to expire. Microsoft first announced the change in November 2025. Rain Baker warned devices that fail to receive these updates "face 'catastrophic boot-level security failures' or degraded security states," and urged organizations to ensure their entire fleets rotate to the new trust anchors before June 26, 2026.
Practical indicators in this bulletin are specific: 138 patched vulnerabilities, 30 Critical, 104 Important, and multiple high‑impact CVEs that allow remote code execution, privilege escalation, and information disclosure across Windows, cloud services, and enterprise applications. Microsoft recommends standard mitigations — reducing internet exposure, improving configuration hygiene, removing legacy authentication, enabling MFA, enforcing strong access controls, and segmenting environments — and says the organizations that adjust to faster discovery and patch cadence will be "best positioned for what comes next."
