Microsoft May Patch Tuesday Fixes 120 Flaws, but DNS and Dynamics 365 Bugs Demand Priority

May Patch Tuesday: Microsoft Addresses 120 Flaws; No Zero-Days Reported

Microsoft has released its May 2026 Patch Tuesday bulletin, delivering fixes for approximately 120 vulnerabilities spanning the Redmond giant’s entire ecosystem. The rollout addresses critical components including Windows, the Office suite, Azure, the Hyper-V hypervisor, and several advanced developer tools. Although there were no reports of zero-day vulnerabilities being actively exploited or publicly disclosed prior to the release, the nature of the patched flaws suggests a high priority for enterprise infrastructure administrators.

The sheer volume of fixes and the sensitivity of the services involved—ranging from DNS name resolution to Netlogon authentication—make this an intensive update cycle. Security analysts have highlighted a wide variety of attack vectors, including server-side vulnerabilities requiring no user interaction and flaws exploitable through common daily operations. Managing this patch cycle effectively requires a careful analysis of the conflicting severity classifications reported by various industry sources.

The Data Discrepancy: 29 or 14 Critical RCEs?

A complicating factor for security teams this Patch Tuesday is the misalignment in aggregate data. Two convergent editorial sources report the existence of 29 Remote Code Execution (RCE) vulnerabilities classified as Critical. This figure paints a picture of extreme risk for the Microsoft attack surface, suggesting a need for nearly instantaneous patching to prevent large-scale compromises in corporate environments.

However, a third source provides a more restrictive analysis, identifying a total of 17 critical vulnerabilities. In this second count, critical RCEs drop to 14, supplemented by two Elevation of Privilege (EoP) vulnerabilities and one related to Information Disclosure. This discrepancy likely stems from different methodologies used to aggregate data from the official MSRC bulletin, which remains the definitive reference for granular classification.

For organizations, this gap is not merely statistical. A difference of 15 critical vulnerabilities can shift the operational priority during maintenance windows. The affected cumulative builds for Windows 11 include the most recent versions: 25H2 (build 26200.8457), 24H2 (build 26100.8457), and 23H2 (build 22631.7079). Systems administrators are encouraged to validate workloads based on the specific technical documentation for each component.

Securing the Core: DNS, Netlogon, and Dynamics 365

Among the ~120 addressed flaws, those impacting the pillars of Windows networking stand out. Vulnerabilities in the Windows DNS Client (CVE-2026-41096) and Windows Netlogon (CVE-2026-41089) represent the most significant protocol-level risks. These components manage name resolution and user authentication, respectively—areas where implementation errors can lead to total control over a corporate domain.

"Successful exploitation could allow unauthenticated or low-privileged attackers to execute code in highly sensitive parts of the Windows authentication and name resolution stack, echoing the impact of historic bugs like SigRed and Zerologon."

The analogy to SigRed and Zerologon underscores the potential severity: these flaws are often the starting point for lateral movement within a network. An attacker capable of manipulating DNS responses or compromising the Netlogon channel can bypass perimeter security controls. The nature of these vulnerabilities makes them potentially "wormable" or ideal for automated attacks targeting the heart of Active Directory architecture.

Another critical front involves Dynamics 365 On-Premises. Vulnerability CVE-2026-42898 received a CVSS severity score of 9.9, nearly the maximum on the scale. Its danger lies in the fact that it requires no user interaction to be exploited. Alongside CVE-2026-42833, this flaw exposes corporate ERP and CRM servers to immediate code execution risks, making the update of on-premise systems a non-negotiable priority.

Everyday Exploits: From the Preview Pane to Microsoft Paint

The May Patch Tuesday also addresses flaws that exploit an individual's daily routine. Microsoft Office, including Word and Excel, features several RCE vulnerabilities that can be triggered by opening malicious attachments. However, the risk is more subtle: some of these vulnerabilities can be activated simply by viewing the file in the Outlook preview pane, without the user ever opening the document.

This attack vector is particularly insidious because it bypasses the standard caution of users trained not to double-click unknown files. The simple act of scrolling through an inbox could expose the system to remote code execution. Such vulnerabilities challenge the intrinsic security of Office document rendering mechanisms, forcing Microsoft to release structural fixes to harden the preview pane across its mail applications.

Even seemingly innocuous tools like Microsoft Paint are affected. The Windows GDI vulnerability (CVE-2026-35421) allows code execution via a specially crafted Enhanced Metafile (EMF). If a user opens a malicious image in Paint, an attacker can seize control of the system. This demonstrates that legacy graphics libraries remain a vital attack surface—often overlooked by defenders but actively monitored by those seeking elevation of privilege exploits.

Hyper-V and AI: Addressing Escalation and Cloud Bypass

Virtualization is not immune to this patch cycle. Windows Hyper-V is affected by CVE-2026-40402, an elevation of privilege flaw classified as critical. In private cloud or multi-tenant environments, a guest-to-host escape represents a worst-case scenario: a malicious actor within a virtual machine could compromise the underlying hypervisor, gaining access to other virtual machines and the data of the entire infrastructure.

The bulletin also extends protection to AI and development tools. Issues involving spoofing and security feature bypasses were fixed in M365 Copilot (for both Desktop and Android), Azure Machine Learning notebooks, and Visual Studio when used with GitHub Copilot. While there is no evidence of active exploitation, these patches serve to prevent scenarios where an attacker might trick AI into providing malicious responses or bypass execution sandboxes.

These interventions in developer tools highlight a new area of focus for Microsoft. As AI is integrated deeper into workflows, protecting CI/CD pipelines and coding environments becomes crucial. Correcting these flaws ensures that programming assistants do not become a Trojan horse for the introduction of insecure code or the theft of corporate secrets stored in local or cloud development environments.

Recommended Actions

• Consult the official MSRC bulletin immediately to confirm the exact number of Critical and RCE flaws applicable to your infrastructure, resolving the discrepancy between editorial counts (29 vs 14).
• Prioritize updates for Windows DNS Client (CVE-2026-41096), Netlogon (CVE-2026-41089), and Dynamics 365 On-Premises, as these components present the highest risk for unauthenticated attack.
• Deploy patches for Microsoft Office and evaluate, where possible, the temporary disabling of the Outlook preview pane to mitigate code execution risks.
• Update Hyper-V hosts to prevent virtualized system escapes and distribute patches for Visual Studio (with GitHub Copilot), Azure Machine Learning, and M365 Copilot to protect AI assets.

The absence of reported zero-days in this May 2026 Patch Tuesday should not lead to a false sense of security. The presence of a 9.9 CVSS score in ERP systems and "wormable" flaws in core network protocols indicates that malicious actors have access to extremely effective attack vectors. The speed of update deployment remains the only real metric for measuring organizational resilience against these threats.

Frequently Asked Questions

Why is there confusion over the number of critical RCEs fixed?

The divergence between sources (29 vs. 14 critical RCEs) often depends on how CVEs are grouped. Some analysts count every code execution bug in critical components, while others filter only for those with a direct impact on core OS security. It is vital to refer to unique CVE identifiers to map necessary patches.

What is the actual risk regarding Microsoft Paint (CVE-2026-35421)?

The risk lies in the processing of malicious EMF files. Paint utilizes Windows GDI libraries for rendering; a flaw in these libraries allows an image file to execute code with the privileges of the user viewing it. This type of vulnerability is often used as part of an attack chain to gain initial access to a workstation.

Does Dynamics 365 On-Premises require special attention?

Yes. Given the severity of CVE-2026-42898 (CVSS 9.9) and the fact that no user interaction is required for exploitation, administrators must apply specific patches for on-premises versions. Systems directly exposed to the internet or reachable from unprotected network segments should be updated first.

Information has been verified against cited sources and is current as of the time of publication.

Sources

• https://www.cryptika.com/microsoft-patch-tuesday-may-2026-120-vulnerabilities-fixed-including-29-critical-rce-flaws/
• https://cybersecuritynews.com/microsoft-patch-tuesday-may-2026/
• https://thecyberexpress.com/microsoft-may-2026-patch-tuesday/