Microsoft patches 137 flaws, including critical Netlogon

Microsoft disclosed 137 vulnerabilities in its May Patch Tuesday update. Rapid7 identified the most serious as critical flaws in Windows Netlogon, the Windows DNS client and a Microsoft Entra ID authentication plugin.

The monthly release also fixed 133 browser vulnerabilities, though those were counted separately from the Patch Tuesday total.

Teams responsible for domain controllers were urged to prioritise CVE-2026-41089, a critical stack-based buffer overflow in Windows Netlogon. The flaw has a CVSS v3 base score of 9.8 and could allow code execution in the context of the Netlogon service, giving an attacker SYSTEM privileges on a domain controller.

Rapid7 noted that the flaw requires no privileges or user interaction and has low attack complexity, factors that often make exploitation more feasible once technical details are understood. Microsoft rates exploitation as less likely, and no active exploitation or public disclosure has been reported for any of the vulnerabilities in the release.

Adam Barnett, lead software engineer at Rapid7, compared the issue to a notable earlier Windows weakness.

"Anyone responsible for securing a domain controller should prioritise remediation of CVE-2026-41089. It's a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8. Exploitation leads to execution in the context of the Netlogon service, which means SYSTEM privileges on the domain controller. For most pentesters, that's the point at which the customer report more or less writes itself. No privileges or user interaction are required, and attack complexity is low, which suggests creating a reliable exploit might not be especially difficult for anyone who understands the specific mechanism," Barnett said.

Rapid7 said defenders may take limited comfort from Microsoft's exploitability rating because it was published without supporting explanation. Organisations familiar with the ZeroLogon vulnerability from 2020 may also see parallels. Patches are available for Windows Server versions from 2012 onwards.

Rapid7 also highlighted CVE-2026-41096, a critical remote code execution flaw in the Windows DNS client. Barnett said it could attract attackers seeking broad access to Windows environments because DNS requests are a routine part of system activity.

"An attacker looking for a master key for Windows assets will pay attention to CVE-2026-41096, a critical RCE in the Windows DNS client implementation. A modern computer talks to DNS the way a child in the back of a car asks, 'are we there yet?'," Barnett said.

Rapid7 noted that the complexity of DNS responses has historically made client implementations vulnerable to coding errors. The DNS client runs as NetworkService rather than SYSTEM, but attackers often chain multiple weaknesses. The company also pointed to heap address randomisation and encrypted DNS channels as mitigations that may make weaponisation harder, even though Microsoft still rates exploitation as less likely.

Plugin risk

Outside Windows itself, Rapid7 drew attention to CVE-2026-41103, a critical elevation of privilege flaw affecting organisations running Atlassian Jira or Confluence with the Microsoft Entra ID authentication plugin. The issue could allow an unauthorised attacker to impersonate an existing user by presenting forged credentials and bypassing Entra ID authentication.

The vulnerability stands out because Microsoft expects exploitation to be more likely. Rapid7 also said the patch links in the advisory appeared to point to older plugin versions published in 2024, raising questions for administrators trying to validate the fix.

"If you're still self-hosting Atlassian JIRA or Confluence and relying on the Microsoft Entra ID authentication plugin, you'll want to know about CVE-2026-41103. This critical elevation of privilege vulnerability allows an unauthorised attacker to impersonate an existing user by presenting forged credentials, thus bypassing Entra ID. Microsoft expects exploitation is more likely. Even if you can't always find what you want on the corporate Confluence, a motivated attacker probably will. Curiously, the patch links in the advisory lead to older versions of the plugins published in 2024," Barnett said.

Research trend

Rapid7 also noted that Microsoft's WARP team was credited with multiple critical vulnerabilities in this release. According to Rapid7, that follows the team's first appearance in Microsoft Security Response Centre acknowledgements in the previous month's disclosures.

Barnett suggested the acknowledgements may reflect changing methods of vulnerability discovery.

"Microsoft's WARP team is credited with multiple critical vulnerabilities today, after making their first appearance in MSRC advisory acknowledgements in April's Patch Tuesday. We can speculate that they likely know a great deal about the current state of AI-powered vulnerability research as it applies to Microsoft products," Barnett said.

Alongside the security updates, Rapid7 said there were no significant Microsoft product lifecycle changes in this month's release. One exception was .NET 9 STS, which now reaches end of support on November 10, 2026, after Microsoft granted a six-month extension late last year.