Microsoft Fixes 17 Critical Flaws in May Patch Tuesday
Microsoft Fixes 17 Critical Flaws in May Patch Tuesday
https://www.infosecurity-magazine.com/news/microsoft-17-critical-flaws-may/
Publish Date: 2026-05-13 04:15:00
Source Domain: www.infosecurity-magazine.com
Microsoft has published security updates to fix 120 CVEs in the May Patch Tuesday, 16 of which were discovered by a new multi-model agentic security system.
The overall list included 17 critical vulnerabilities, 14 of which were classed as remote code execution (RCE), two were elevation of privilege (EoP) flaws and one was an information disclosure vulnerability.
In total, the majority of the 120 CVEs listed were EoP (61), RCE (31) and information disclosure (14).
Read more on Patch Tuesday: Microsoft Fixes Two Zero-Days in April Patch Tuesday
Adam Barnett, principal software engineer at Rapid7, urged “anyone responsible for securing a domain controller” to prioritize CVE-2026-41089 for remediation.
It’s a critical stack-based buffer overflow in Windows Netlogon with a CVSS v3 base score of 9.8 which could give attackers system privileges on the domain controller, Barnett warned.
“For most pentesters, that’s the point at which the customer report more or less writes itself,” he continued. “No privileges or user interaction are required, and attack complexity is low, which suggests that creation of a reliable exploit might not be especially difficult for anyone with knowledge of the specific mechanism.”
Also top of mind for sysadmins should be CVE-2026-41096 – a critical RCE in the Windows DNS client implementation with a CVSS score of 9.8.
“Because DNS is a core networking service used across enterprise environments, exploitation could impact a large number of systems rapidly,” warned Action1 director of vulnerability research, Jack Bicer. “Successful attacks may lead to widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption across corporate networks.”
Bicer also flagged CVE-2026-42898, a critical RCE bug in Microsoft Dynamics 365 On-Premises. It could allow an authenticated attacker with low privileges to execute malicious code over the network by manipulating process…
