Critical RCE and EoP vulnerabilities in Microsoft products addressed in May Patch Tuesday
Summary
Hide ▲
Show ▼
Microsoft released 120 CVEs in the May 2026 Patch Tuesday update, including 17 critical flaws, primarily remote code execution (RCE) and elevation of privilege (EoP) issues. A new multi-model agentic AI system discovered 16 of these CVEs. Key critical vulnerabilities include CVE-2026-41089 (Windows Netlogon stack-based buffer overflow, CVSS 9.8), CVE-2026-41096 (Windows DNS client RCE, CVSS 9.8), and CVE-2026-42898 (Microsoft Dynamics 365 On-Premises RCE). These flaws allow attackers to gain system privileges, compromise endpoints, and execute malicious code with minimal prerequisites.
Timeline
-
13.05.2026 11:15 1 articles · 1h ago
Microsoft Patch Tuesday May 2026 includes critical RCE and EoP fixes across core services
Microsoft published security updates addressing 120 CVEs, including 17 critical vulnerabilities. Three high-impact flaws—CVE-2026-41089 (Windows Netlogon buffer overflow, CVSS 9.8), CVE-2026-41096 (Windows DNS client RCE, CVSS 9.8), and CVE-2026-42898 (Microsoft Dynamics 365 RCE)—were prioritized for remediation due to their potential for rapid exploitation and extensive enterprise compromise. The updates also included 16 CVEs discovered via Microsoft’s new agentic AI system, MDASH, which integrates over 100 specialized agents across multiple models to enhance vulnerability detection.
Show sources
- Microsoft Fixes 17 Critical Flaws in May Patch Tuesday — www.infosecurity-magazine.com — 13.05.2026 11:15
Information Snippets
-
Microsoft Patch Tuesday May 2026 addressed 120 CVEs, with 17 classified as critical.
First reported: 13.05.2026 11:151 source, 1 articleShow sources
- Microsoft Fixes 17 Critical Flaws in May Patch Tuesday — www.infosecurity-magazine.com — 13.05.2026 11:15
-
16 of the 120 CVEs were discovered using a new multi-model agentic AI security system developed by Microsoft’s Autonomous Code Security (ACS) team.
First reported: 13.05.2026 11:151 source, 1 articleShow sources
- Microsoft Fixes 17 Critical Flaws in May Patch Tuesday — www.infosecurity-magazine.com — 13.05.2026 11:15
-
CVE-2026-41089 is a critical stack-based buffer overflow in Windows Netlogon (CVSS v3 base score: 9.8) allowing attackers to gain system privileges on domain controllers without user interaction or privileges required.
First reported: 13.05.2026 11:151 source, 1 articleShow sources
- Microsoft Fixes 17 Critical Flaws in May Patch Tuesday — www.infosecurity-magazine.com — 13.05.2026 11:15
-
CVE-2026-41096 is a critical RCE flaw in the Windows DNS client implementation (CVSS 9.8) that could enable rapid, widespread compromise of enterprise systems.
First reported: 13.05.2026 11:151 source, 1 articleShow sources
- Microsoft Fixes 17 Critical Flaws in May Patch Tuesday — www.infosecurity-magazine.com — 13.05.2026 11:15
-
CVE-2026-42898 is a critical RCE vulnerability in Microsoft Dynamics 365 On-Premises (CVSS not specified) that allows authenticated attackers with low privileges to execute arbitrary code via network manipulation of process session data.
First reported: 13.05.2026 11:151 source, 1 articleShow sources
- Microsoft Fixes 17 Critical Flaws in May Patch Tuesday — www.infosecurity-magazine.com — 13.05.2026 11:15
-
The new agentic AI system, MDASH, utilizes over 100 specialized agents across multiple models, including state-of-the-art (SOTA) models for reasoning and distilled models for cost-effective validation, with independent model disagreement used to validate findings.
First reported: 13.05.2026 11:151 source, 1 articleShow sources
- Microsoft Fixes 17 Critical Flaws in May Patch Tuesday — www.infosecurity-magazine.com — 13.05.2026 11:15