May 2026 Patch Tuesday: 137 Vulnerabilities Addressed, No Zero-Days Found Despite Critical DNS RCE
Microsoft has patched 137 vulnerabilities in its May 2026 security update. While no active exploits have been detected, critical unauthenticated RCE flaws in t…
Microsoft released its May 2026 Patch Tuesday security bulletin on May 12, addressing 137 vulnerabilities across Windows, Azure, Office, SharePoint, and Dynamics 365. Although none of the flaws were reported as being exploited in the wild at the time of release, the technical severity of the package remains high. Unauthenticated remote code execution (RCE) vulnerabilities in the Windows DNS Client and Netlogon expose every Windows endpoint and domain controller to potential network compromise without requiring user interaction.
The defining characteristic of the May 2026 bulletin is not merely the severity of the reported RCEs. Primary analysis sources have reported conflicting figures regarding vulnerabilities classified as "critical," creating an information gap that complicates prioritization for vulnerability management teams. Microsoft has designated 13 vulnerabilities as "more likely" to be exploited, while the remaining 113 are categorized as "less likely" or "unlikely," according to CyberScoop’s analysis of vendor data.
- The May 2026 bulletin includes 137 total vulnerabilities; no active zero-day exploitation has been detected by Microsoft.
- Discrepancy in critical counts: Talos Intelligence identifies 31 based on Microsoft tags, while CyberScoop reports 13 with a "Critical" CVSS rating.
- Critical unauthenticated RCEs affect the Windows DNS Client and Netlogon, directly impacting the attack surface of every enterprise Windows endpoint.
- Talos has released Snort rules for SID blocks 1:66438-1:66445, 1:66451-1:66460, and 1:66470-1:66476 to monitor for exploit attempts.
DNS Client and Netlogon RCE: The Core of Enterprise Risk
Among the highest-impact flaws, Talos Intelligence highlights a heap-based overflow in the Windows DNS Client that allows an unauthenticated attacker to execute remote code via manipulated DNS responses. Because the DNS Client service is active on nearly every Windows machine in the enterprise ecosystem, the exposure surface is massive. An attacker capable of influencing DNS responses could seize control of systems without any action required from employees or system administrators.
"No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses could achieve unauthenticated remote-code execution across your enterprise." - Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative
Simultaneously, Talos describes a stack-based buffer overflow in Windows Netlogon. An attacker can send a malformed network request to a server operating as a domain controller to trigger unauthorized code execution. This vulnerability requires no credentials or prior access. "An attacker could send a specially crafted network request to a Windows server that is acting as a domain controller. If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system."
While the absence of zero-days mitigates immediate urgency, these 16 critical RCE vulnerabilities (according to the Talos count) are primary targets for post-patch weaponization. Once the technical details of the fixes become public, unpatched systems—specifically domain controllers exposing Netlogon and endpoints resolving DNS queries—will become vulnerable to lateral movement and total compromise of the organization's Active Directory domain.
Dynamics 365 and Azure: Code Injection and 9.9 CVSS Scores
The May 2026 bulletin also includes significant criticalities for cloud and CRM infrastructures. CyberScoop has flagged a pair of vulnerabilities in Azure and a specific flaw in Microsoft Dynamics 365 on-premises that received a CVSS score of 9.9, approaching the maximum severity level. Talos specifies that the Dynamics vulnerability (CVE-2026-42898) stems from improper control of code generation, allowing an authorized attacker to execute arbitrary commands over the network.
Jack Bicer, director of vulnerability research at Action1, emphasized that the compromise of systems like Dynamics 365 exposes sensitive customer data and operational workflows. The primary risk lies in an attacker’s ability to use basic access to transform an application server into a remote execution platform, expanding the impact far beyond the initially vulnerable component. This type of escalation jeopardizes the confidentiality of critical corporate information.
"With no user interaction required, and the potential to impact systems beyond the vulnerable component's original security scope, this vulnerability poses serious enterprise risk: an attacker with only basic access could turn a business application server into a remote execution platform." - Jack Bicer, Action1.
The integrity of CRM systems is vital for business continuity. A successful code injection in Dynamics 365 on-premises does more than just compromise the records database; it can serve as a beachhead for data exfiltration or the paralysis of automated business workflows, making the timely patching of these cloud and on-premise assets imperative.
The Discrepancy Between Talos and CyberScoop on 'Critical' Counts
Talos Intelligence and CyberScoop agree on the total of 137 vulnerabilities resolved by Microsoft but show a sharp discrepancy in severity classification. Talos reports that 31 vulnerabilities were marked as "critical" by Microsoft. Conversely, CyberScoop indicates that only 13 vulnerabilities received a CVSS rating officially classified as critical. This technical divergence arises from the difference between the vendor's qualitative "severity tags" (used by Talos) and the numerical CVSS score (used by CyberScoop).
This technical misalignment directly affects defense strategies. Following Microsoft's tag criteria raises the volume of priority patches to 31, while following the CVSS rating drops it to 13. CyberScoop further clarifies that only 13 vulnerabilities are considered "more likely" by Microsoft regarding exploitation probability, while the vast majority—113 flaws—fall into the "less likely" or "unlikely" categories.
"Microsoft has not observed any of the included vulnerabilities being actively exploited in the wild," Talos Intelligence confirmed, citing the official bulletin. However, the lack of a unified metric among analysts suggests that security teams should look beyond simple "critical" counts. They must instead evaluate the actual exposure of their assets, considering that a "more likely" tag may indicate an ease of exploitation that the CVSS score alone does not always fully reflect.
Recommended Security Actions
Establish a rigorous patching hierarchy: Update Domain Controllers and DNS servers within 48-72 hours, given the critical nature of the unauthenticated RCEs affecting Windows Netlogon and the DNS Client on every network endpoint. Absolute priority must be given to these infrastructure components to prevent domain-level compromise.
Proceed with an immediate update of Microsoft Dynamics 365 on-premises instances and Azure resources identified with a 9.9 CVSS score. For systems that cannot sustain immediate downtime, implement network segmentation measures to isolate traffic to Netlogon ports and limit DNS queries to authorized, secure recursive servers.
Deploy the Snort rules released by Talos Intelligence into IDS/IPS systems. Specifically, configure the non-continuous SID blocks 1:66438-1:66445, 1:66451-1:66460, and 1:66470-1:66476. These rules are essential for monitoring exploitation attempts during the window required to complete the patching cycle across all 137 vulnerability points.
The May 2026 Patch Tuesday reinforces that Windows endpoint security depends on precise data governance. The misalignment between 31 and 13 critical vulnerabilities proves that relying on a single third-party aggregator can lead to an underestimation of risk. In a landscape where RCEs strike core components like the DNS Client, the speed of patch execution remains the only effective defense against post-release weaponization.
Why does Talos report 31 critical flaws while CyberScoop reports only 13?
The difference lies in the analysis criteria: Talos reports all vulnerabilities assigned a "Critical" severity tag by Microsoft. CyberScoop, however, filters the bulletin based exclusively on a numerical CVSS v3/v4 rating of 9.0 or higher. Both figures are accurate within their respective methodologies but reflect different perspectives on severity.
What are the risks associated with the DNS Client vulnerability?
This vulnerability is particularly dangerous because the DNS Client is present by default on every Windows system. As an unauthenticated RCE that requires no user interaction, an attacker who intercepts or fakes a DNS response can execute arbitrary code with elevated privileges, making the flaw ideal for wormable attacks within a corporate network.
Do the provided Snort rules cover the entire range of reported SIDs?
No, the SIDs released by Talos for Snort 2 and Snort 3 are not in a continuous range. Valid rules are found in blocks 1:66438-1:66445, 1:66451-1:66460, and 1:66470-1:66476. It is critical to correctly input these specific identifiers to avoid monitoring non-existent ranges or those irrelevant to the May 2026 vulnerabilities.
Information has been verified against cited sources and is current at the time of publication.