**Microsoft**'s May 2026 security updates address 138 vulnerabilities, with 30 rated Critical, 104 Important, three Moderate, and one Low. A significant number, 61, are privilege escalation bugs, followed by 32 remote code execution flaws. The update also incorporates a patch for an **AMD** vulnerability, **CVE-2025-54518** (CVSS score: 7.3), concerning improper isolation of shared resources on Zen 2-based products. This could allow privilege escalation. These patches are in addition to the 127 security flaws addressed by **Google** in **Chromium**, which underlies **Microsoft's Edge** browser. ### Critical Windows DNS Vulnerability One of the most severe vulnerabilities is **CVE-2026-41096** (CVSS score: 9.8), a heap-based buffer overflow in Windows DNS. An attacker could exploit this by sending a specially crafted DNS response, leading to remote code execution without authentication. "An attacker could exploit this vulnerability by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory," **Microsoft** stated. "In certain configurations, this could allow the attacker to run code remotely on the affected system without authentication." ### Other Notable Vulnerabilities **Microsoft** also addressed several other critical and important vulnerabilities, including: * **CVE-2026-42826** (CVSS score: 10.0) - Information disclosure in Azure DevOps. * **CVE-2026-33109** (CVSS score: 9.9) - Improper access control in Azure Managed Instance for Apache Cassandra. * **CVE-2026-42898** (CVSS score: 9.9) - Code injection in Microsoft Dynamics 365 (on-premises). * **CVE-2026-42823** (CVSS score: 9.9) - Improper access control in Azure Logic Apps. * **CVE-2026-41089** (CVSS score: 9.8) - Stack-based buffer overflow in Windows Netlogon. * **CVE-2026-33823** (CVSS score: 9.6) - Improper authorization in Microsoft Teams. * **CVE-2026-35428** (CVSS score: 9.6) - Command injection in Azure Cloud Shell. * **CVE-2026-40379** (CVSS score: 9.3) - Information exposure in Azure Entra ID. * **CVE-2026-40402** (CVSS score: 9.3) - Use-after-free in Windows Hyper-V. * **CVE-2026-41103** (CVSS score: 9.1) - Incorrect authentication in Microsoft SSO Plugin for Jira & Confluence. * **CVE-2026-33117** (CVSS score: 9.1) - Improper authentication in Azure SDK. * **CVE-2026-42833** (CVSS score: 9.1) - Execution with unnecessary privileges in Microsoft Dynamics 365 (on-premises). * **CVE-2026-33844** (CVSS score: 9.0) - Improper input validation in Azure Managed Instance for Apache Cassandra. * **CVE-2026-40361** (CVSS score: 8.4) - Use-after-free in Microsoft Office Word. * **CVE-2026-40364** (CVSS score: 8.4) - Type confusion in Microsoft Office Word. **Rapid7**'s Adam Barnett highlighted **CVE-2026-41103**, noting its potential for unauthorized user impersonation and Entra ID bypass. **Action1**'s Jack Bicer described **CVE-2026-42898** as critical, allowing authenticated attackers with low privileges to execute arbitrary code via Dynamics CRM. He stressed the serious enterprise risk due to potential compromise of customer records, workflows, and integrated business systems. ### Secure Boot Certificate Update Reminder Organizations are reminded to update Windows Secure Boot certificates to the 2023 versions before the 2011 certificates expire next month. This change was initially announced in November 2025. Nightwing's Rain Baker emphasized the criticality of this update, warning of "catastrophic boot-level security failures" for devices not updated by the June 26, 2026 deadline. ### Over 500 CVEs in 2026 So Far According to **Tenable**'s Satnam Narang, **Microsoft** has already patched over 500 CVEs in the first five months of 2026, highlighting the increasing complexity and volume of vulnerabilities in modern software.