Microsoft's May Patch Tuesday update has revealed a critical vulnerability in Windows Netlogon, among other issues. This update addresses 137 vulnerabilities, with a focus on the critical flaws in Windows Netlogon, the Windows DNS client, and a Microsoft Entra ID authentication plugin. The update also fixes 133 browser vulnerabilities, though these are counted separately from the Patch Tuesday total.
The most serious issue is a critical stack-based buffer overflow in Windows Netlogon, with a CVSS v3 base score of 9.8. This flaw could allow code execution in the context of the Netlogon service, giving an attacker SYSTEM privileges on a domain controller. The issue requires no privileges or user interaction and has low attack complexity, making exploitation more feasible once technical details are understood.
Adam Barnett, lead software engineer at Rapid7, compared the issue to a notable earlier Windows weakness. He emphasized the importance of prioritizing remediation of CVE-2026-41089, stating that it's a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, which means SYSTEM privileges on the domain controller. For most pentesters, that's the point at which the customer report more or less writes itself. No privileges or user interaction are required, and attack complexity is low, which suggests creating a reliable exploit might not be especially difficult for anyone who understands the specific mechanism.
Rapid7 also highlighted CVE-2026-41096, a critical remote code execution flaw in the Windows DNS client. This issue could attract attackers seeking broad access to Windows environments because DNS requests are a routine part of system activity. An attacker looking for a master key for Windows assets will pay attention to CVE-2026-41096, a critical RCE in the Windows DNS client implementation. A modern computer talks to DNS the way a child in the back of a car asks, 'are we there yet?'
The company noted that the complexity of DNS responses has historically made client implementations vulnerable to coding errors. The DNS client runs as NetworkService rather than SYSTEM, but attackers often chain multiple weaknesses. The company also pointed to heap address randomisation and encrypted DNS channels as mitigations that may make weaponisation harder, even though Microsoft still rates exploitation as less likely.
Outside Windows itself, Rapid7 drew attention to CVE-2026-41103, a critical elevation of privilege flaw affecting organizations running Atlassian Jira or Confluence with the Microsoft Entra ID authentication plugin. The issue could allow an unauthorized attacker to impersonate an existing user by presenting forged credentials and bypassing Entra ID authentication. This vulnerability stands out because Microsoft expects exploitation to be more likely. Even if you can't always find what you want on the corporate Confluence, a motivated attacker probably will. Curiously, the patch links in the advisory lead to older versions of the plugins published in 2024.
Rapid7 also noted that Microsoft's WARP team was credited with multiple critical vulnerabilities in this release. According to Rapid7, that follows the team's first appearance in Microsoft Security Response Centre acknowledgements in the previous month's disclosures. Barnett suggested the acknowledgements may reflect changing methods of vulnerability discovery. Microsoft's WARP team is credited with multiple critical vulnerabilities today, after making their first appearance in MSRC advisory acknowledgements in April's Patch Tuesday. We can speculate that they likely know a great deal about the current state of AI-powered vulnerability research as it applies to Microsoft products.
Alongside the security updates, Rapid7 said there were no significant Microsoft product lifecycle changes in this month's release. One exception was .NET 9 STS, which now reaches end of support on November 10, 2026, after Microsoft granted a six-month extension late last year.
