Patch Tuesday - May 2026

[Patch Tuesday - May 2026]

May 13, 2026|Last updated on May 13, 2026|37 min read

• Windows Netlogon: critical RCE
• Windows DNS Client: critical RCE
• JIRA/Confluence Entra ID auth plugin: critical EoP
• Developer Tools vulnerabilities
• Microsoft Dynamics vulnerabilities
• Open Source Software vulnerabilities
• Critical RCEs and EoPs

Microsoft is publishing 137 vulnerabilities on May 2026 Patch Tuesday. Microsoft is not aware of exploitation in the wild or public disclosure for any of these vulnerabilities. So far this month, Microsoft has provided patches to address 133 browser vulnerabilities, which are not included in the Patch Tuesday count above.

Windows Netlogon: critical RCE

Anyone responsible for securing a domain controller should prioritize remediation of CVE-2026-41089, which is a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, so that’s SYSTEM privileges on the domain controller. For most pentesters, that’s the point at which the customer report more or less writes itself. No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism.

Microsoft assesses exploitation as less likely, but since those exploitability assessments are provided without an accompanying explanation, it’s not clear how much reassurance defenders should take. Anyone who remembers the much-discussed CVE-2020-1472 (aka ZeroLogon) back in 2020 will note that CVE-2026-41089 offers an attacker more immediate control of a domain controller. Patches are available for all versions of Windows Server from 2012 onwards.

Windows DNS Client: critical RCE

An attacker looking for a master key for Windows assets will pay attention to CVE-2026-41096, a critical RCE in the Windows DNS client implementation. A modern computer talks to DNS the way a child in the back of a car asks “are we there yet?” The variable and complex structure of DNS responses means that DNS client implementations are also complex and thus prone to flaws. Microsoft assesses exploitation as less likely, and we can hope that modern mitigations such as heap address randomization and optional-but-recommended encrypted channel DNS will make weaponization significantly more challenging by putting barriers across specific paths to exploitation. The DNS client on Windows runs as the NetworkService role, rather than SYSTEM, but a foothold is a foothold, and skilled attackers expect to chain exploits together.

JIRA/Confluence Entra ID auth plugin: critical EoP

If you’re still self-hosting Atlassian JIRA or Confluence and relying on the Microsoft Entra ID authentication plugin, you’ll want to know about CVE-2026-41103. This critical elevation of privilege vulnerability allows an unauthorized attacker to impersonate an existing user by presenting forged credentials, thus bypassing Entra ID. Microsoft expects that exploitation is more likely. Even if you can’t always find what you want on the corporate Confluence, a motivated attacker probably will. Curiously, the patch links on the advisory lead to older versions of the plugins published in 2024.

Microsoft’s WARP team is credited with multiple critical vulnerabilities today, after making their first appearance in MSRC advisory acknowledgements in last month’s Patch Tuesday. We can speculate that they likely know a great deal about the current state of AI-powered vulnerability research as it applies to Microsoft products.

There are no significant Microsoft product lifecycle changes this month. Microsoft .NET 9 STS (Standard Term Support, as distinct from Long Term Support) was originally scheduled to move past the end of support in May 2026, but late last year, Microsoft granted a six-month extension, so that .NET 9 STS now reaches end of support on November 10, 2026.

Developer Tools vulnerabilities

| CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score | | --- | --- | --- | --- | --- | | CVE-2026-7598 | libssh2 userauth.c userauth_password integer overflow | n/a | No | 7.3 | | CVE-2026-43870 | Apache Thrift: Node.js web_server.js multi-vulnerability | n/a | No | 7.3 | | CVE-2026-43868 | Apache Thrift: Rust implementation vulnerable to CVE-2020-13949 pattern | n/a | No | 5.3 | | CVE-2026-43869 | Apache Thrift: TSSLTransportFactory.java hostname verification | n/a | No | 7.3 |

Microsoft Dynamics vulnerabilities

| CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score | | --- | --- | --- | --- | --- | | CVE-2026-33821 | Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability | N/A | No | 7.7 | | CVE-2026-40417 | Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability | Exploitation Less Likely | No | 7.8 | | CVE-2026-42898 | Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability | Exploitation Unlikely | No | 9.9 | | CVE-2026-42833 | Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability | Exploitation Less Likely | No | 9.1 | | CVE-2026-40374 | Microsoft Power Automate Desktop Information Disclosure Vulnerability | Exploitation Less Likely | No | 6.5 |

Open Source Software vulnerabilities

| CVE | Title | Exploitation status | Publicly disclosed? | CVSS v3 base score | | --- | --- | --- | --- | --- | | CVE-2026-40370 | SQL Server Remote Code Execution Vulnerability | Exploitation Less Likely | No | 8.8 |

Critical RCEs and EoPs

• [+1-866-390-8113](tel:+1-866-390-8113)

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences, or your device, and is mostly used to make the site work as you expect. The information does not usually identify you directly, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to learn more and change our default settings. Blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Reject All Confirm My Choices