Vulnerability Management

Microsoft May 2026 Patch Tuesday: No Zero-Days, but Two CVSS 9.8 Wormable RCEs

Microsoft's May 2026 Patch Tuesday shipped without a single exploited zero-day for the first time since June 2024, but it still carried two unauthenticated CVSS 9.8 remote code execution bugs in core Windows services that every domain should treat as emergency patches.

On May 12, 2026, Microsoft published its monthly security update and did something it had not managed in nearly two years: it shipped a Patch Tuesday with no actively exploited and no publicly disclosed zero-day vulnerabilities. The last time a Microsoft monthly rollup carried zero known-exploited bugs was June 2024. For defenders who have spent twenty-three consecutive months rushing out-of-band or same-day domain controller reboots, that is a genuinely quiet headline.

It is also a misleading one. The absence of a zero-day is a statement about what attackers were doing the week before patch day, not about what they can do the week after. This month's release includes two unauthenticated, network-reachable remote code execution flaws rated CVSS 9.8 in two of the most fundamental services Windows runs: Netlogon and the DNS Client. Both are the kind of bug that gets reverse-engineered from the patch diff within days and folded into commodity tooling within weeks. The June 2024-to-May 2026 zero-day streak ended not because the platform got safer, but because this month's worst bugs happened to be found by researchers rather than criminals first.

Vendor CVE counts for this release diverge depending on what each tracker folds in (Microsoft-proper versus Mariner, Edge/Chromium, and republished CVEs). Tenable counted 118 Microsoft CVEs; the Zero Day Initiative counted 138 across the full release including 30 rated Critical; BleepingComputer and several others landed at 120. The exact total matters less than the shape of it: elevation of privilege dominated again at roughly half of all fixes, remote code execution was about a quarter, and the genuinely dangerous tail is small and identifiable. This roundup focuses on that tail.

TL;DR

No zero-days. First Microsoft Patch Tuesday since June 2024 with zero actively-exploited or publicly-disclosed flaws at release. Treat this as a patching window, not an all-clear.
CVE-2026-41089 (Netlogon, CVSS 9.8) is an unauthenticated RCE on domain controllers via a stack-based buffer overflow in MS-NRPC. No credentials, no user interaction, assessed wormable. Patch DCs first.
CVE-2026-41096 (DNS Client, CVSS 9.8) is an unauthenticated RCE triggered by a malicious DNS response; a rogue or man-in-the-middle DNS server can corrupt memory on any querying Windows host.
CVE-2026-42898 (Dynamics 365 on-premises, CVSS 9.9) is the highest-scored bug in the release: authenticated code injection with a scope change, enabling lateral movement on ERP infrastructure.
CVE-2026-41103 (Microsoft SSO Plugin for Jira & Confluence, CVSS 9.1) is an authentication-bypass-style EoP that lets an unauthorized attacker forge identity into Atlassian apps.
Critical-but-not-headline: CVE-2026-40402 Hyper-V EoP (9.3, guest-to-host risk), CVE-2026-40365 SharePoint RCE (8.8, authenticated), plus a cluster of Word and Office RCEs reachable through the Preview Pane.
Action: ring-deploy DCs and DNS-dependent infrastructure within days, not weeks. Reachability and exploitability signals should drive the rest of the queue.

What happened

Microsoft released its May 2026 security updates on the second Tuesday of the month, May 12. Across the major trackers the Microsoft-authored CVE count sits between 118 and 138, with 16 to 30 rated Critical depending on whether you count only Microsoft's own ratings or include reclassifications. The Zero Day Initiative's tally of 138 Microsoft CVEs plus 52 Adobe CVEs made it one of the larger releases of the year by raw volume, even though the severity distribution was the routine one: elevation of privilege at roughly 48 to 51 percent, remote code execution at roughly 25 percent, and the remainder split across information disclosure, spoofing, denial of service, and security feature bypass.

The story of the release is the two CVSS 9.8 unauthenticated RCEs. Both sit in services that are on by default, listen on the network, and are present on effectively every Windows estate. Neither was exploited at release, and Microsoft's Exploitability Index rated both "Exploitation Less Likely" at publication — a judgment about current exploit maturity, not about future risk. For bugs in Netlogon and DNS, the gap between "less likely" and "weaponized" has historically been measured in weeks.

The two that matter most

CVE-2026-41089 — Windows Netlogon RCE (CVSS 9.8)

This is the bug to patch first. CVE-2026-41089 is a remote code execution vulnerability in Windows Netlogon, the service domain controllers use to handle the Netlogon Remote Protocol (MS-NRPC) during machine and domain authentication. The root cause is a stack-based buffer overflow that originates from an integer overflow: during the authentication handshake, the Netlogon service processes a caller-specified length value without proper validation, and a crafted value lets an attacker write past a fixed-size stack buffer.

An unauthenticated, remote attacker can exploit it by sending a single crafted network request to a Windows server running as a domain controller. No sign-in, no prior foothold, no user interaction. Because Netlogon is the spine of Active Directory authentication, successful exploitation puts an attacker at the center of the identity fabric: credential theft, malware deployment, lateral movement, and disruption of authentication services all follow from one box. The bug is assessed as wormable. Anyone who lived through Zerologon (CVE-2020-1472) will recognize the shape of the threat, though the mechanism here is memory corruption rather than a cryptographic flaw. We cover the mechanics, detection, and remediation in depth in our dedicated deep dive on CVE-2026-41089.

CVE-2026-41096 — Windows DNS Client RCE (CVSS 9.8)

The second 9.8 is arguably broader in blast radius even if it ranks below Netlogon for severity of a single compromise. CVE-2026-41096 is a heap-based buffer overflow in the Windows DNS Client. An attacker-controlled DNS server can send a specially crafted DNS response that the client incorrectly processes, corrupting memory and enabling remote code execution. No authentication and no user interaction are required.

The realistic attack vector is a rogue DNS server or a man-in-the-middle position on the resolution path — coffee-shop and conference Wi-Fi, a compromised upstream resolver, DHCP-pushed DNS on a hostile network, or an attacker who already has a low-privilege foothold and can answer DNS queries. Because every Windows host resolves names constantly, the population of vulnerable systems is essentially the entire fleet, not just servers. The mitigating factor is that the attacker needs to be positioned to answer a victim's DNS query; the aggravating factor is how often Windows hosts make those queries to infrastructure outside the defender's control.

CVE-2026-42898 — Dynamics 365 on-premises RCE (CVSS 9.9)

The single highest-scored CVE in the release is a code injection flaw in on-premises Microsoft Dynamics 365. It requires an authenticated user, which keeps it off the "patch DCs tonight" list, but the 9.9 comes from a scope change: successful exploitation lets code execute beyond the vulnerable component's security boundary, which is exactly what enables lateral movement off an ERP system that typically sits close to finance and HR data. Scope-change RCEs are uncommon, and this one deserves priority on any estate that still runs Dynamics 365 on-premises.

CVE-2026-41103 — Microsoft SSO Plugin for Jira & Confluence (CVSS 9.1)

Rated as an elevation of privilege but functionally an authentication bypass, CVE-2026-41103 affects Microsoft's single sign-on plugin for Atlassian Jira and Confluence. Per Microsoft's advisory, an unauthorized attacker can exploit the login process by sending a specially crafted response message, forging identity to access or modify data in Jira and Confluence. Any organization fronting Atlassian Data Center products with this plugin should treat it as a priority, because it sits directly on the authentication path for systems that hold source code, tickets, and runbooks.

The rest of the critical tail

A few more CVEs are worth pulling out of the long list:

CVE-2026-40402 — Hyper-V elevation of privilege (CVSS 9.3). Not an RCE, but a high-severity privilege escalation with guest-to-host implications in virtualized and multi-tenant environments. On any host running untrusted or semi-trusted guests, this is a containment-boundary bug and should be patched promptly.
CVE-2026-40365 — SharePoint Server RCE (CVSS 8.8). Authenticated, but the bar is low: "anyone with site privileges" qualifies, which in many SharePoint deployments is a large population. Given the year SharePoint has had with the ToolShell family (CVE-2025-53770 and friends), on-prem SharePoint operators should not let this sit.
A cluster of Word and Office RCEs — including CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, CVE-2026-40367 (Word, ~8.4 each) and CVE-2026-40358, CVE-2026-40363, CVE-2026-42831 (Office). Several are reachable through the Preview Pane, meaning a user does not have to open the file for the malicious document to fire. These are the classic phishing-payload bugs and should ride your normal Office update channel quickly.

For the broader enterprise picture beyond Microsoft, the same week saw critical fixes from SAP, VMware, Ivanti, Fortinet, and others; we cover the most severe of those, the SAP S/4HANA and Commerce flaws, in a separate analysis.

What detection looks like

Patching is the fix; detection covers the window before patches land everywhere and catches exploitation attempts against stragglers.

For Netlogon (CVE-2026-41089), watch domain controllers for:

Anomalous or malformed MS-NRPC traffic to TCP/445 and the dynamic RPC range, especially from hosts that have no business speaking Netlogon to a DC.
Unexpected lsass.exe or netlogon-related process crashes and Windows Error Reporting entries on DCs — memory-corruption exploits are rarely reliable on the first try and tend to leave a trail of crashes.
New service creation, scheduled tasks, or child processes spawned by the Netlogon service context.

For DNS Client (CVE-2026-41096):

DNS responses that are anomalously large or malformed relative to the query, particularly from resolvers that are not your sanctioned infrastructure.
Hosts suddenly using unexpected DNS servers (rogue DHCP, manual override, or a hostile network) — compare configured resolvers against your golden baseline.
Crashes in the DNS client service or in processes that invoke name resolution shortly after receiving external responses.

Illustrative hunt query (clearly illustrative, adapt to your SIEM schema):

// Illustrative — not a tuned production rule
// Process crashes on domain controllers correlated with inbound RPC
DeviceProcessEvents
| where DeviceName in (DomainControllers)
| where InitiatingProcessFileName in~ ("lsass.exe", "svchost.exe")
| join kind=inner (
    DeviceEvents
    | where ActionType == "ProcessCrash"
) on DeviceName
| where TimeGenerated between (ago(7d) .. now())
| project TimeGenerated, DeviceName, FileName, InitiatingProcessFileName, RemoteIP

For both bugs, the strongest signal is simpler than any rule: a host that is still unpatched after your maintenance window is the detection. Reconcile your patch-management telemetry against your asset inventory and treat the gap as the alert.

What to do Monday morning

Ordered by urgency:

Patch domain controllers for CVE-2026-41089 first. This is an unauthenticated, wormable RCE on the identity tier. Ring-deploy to a canary DC, validate authentication and replication, then push fleet-wide on an accelerated schedule. Do not wait for the normal monthly cadence.
Patch DNS-dependent infrastructure for CVE-2026-41096. Prioritize servers and any hosts that resolve names against untrusted networks. Where immediate patching is impossible, restrict which DNS servers clients will accept responses from and harden DHCP against rogue option-6 injection.
Patch on-premises Dynamics 365 (CVE-2026-42898) on any estate that still runs it, given the 9.9 and the lateral-movement potential.
Patch or mitigate the Microsoft SSO Plugin for Jira & Confluence (CVE-2026-41103) on Atlassian Data Center fronted by it; rotate any sessions or tokens you have reason to suspect.
Push the Word/Office RCEs through your standard application update channel quickly, since Preview Pane reachability removes the "user must open it" safety margin.
Patch Hyper-V (CVE-2026-40402) on hosts running untrusted guests, and on-prem SharePoint (CVE-2026-40365) wherever it is internet-reachable.
Prioritize the long tail with exploitability data, not just CVSS. Cross-reference each remaining CVE against Microsoft's Exploitability Index, EPSS, and CISA KEV, and weight by whether the vulnerable code path is actually reachable in your environment.

Why this keeps happening

The interesting question is not why Netlogon has another buffer overflow — it is why the highest-severity Windows bugs cluster, year after year, in the same handful of legacy network-facing protocols. Netlogon (MS-NRPC), DNS, RPC, and the print and authentication stacks are decades-old code paths that parse attacker-controllable length fields in C, run with high privilege, and are switched on by default. The integer-overflow-into-stack-overflow pattern behind CVE-2026-41089 is the same class of mistake that has produced critical Windows CVEs every year of the platform's existence. The code is too load-bearing to rip out and too old to have been written with modern memory-safety discipline.

The defender's structural problem is different but related: the volume. Between 118 and 138 Microsoft CVEs a month, every month, is more than any team can manually triage. When everything is rated Important and a third of releases historically carried a zero-day, "patch everything immediately" stopped being realistic years ago, and "patch by CVSS" buries the two 9.8s that actually matter under fifty 7.8 elevation-of-privilege bugs that require a foothold you do not want to assume the attacker has. The month-to-month signal is only legible if you can separate "unauthenticated, network-reachable, reachable in my environment" from "needs local access to a thing I have already lost."

The structural fix

The honest framing is dwell time and blast radius, not prevention — you cannot prevent Microsoft from shipping a 9.8 in Netlogon. What you can do is shorten the window between disclosure and remediation, and make sure the two bugs that matter do not get lost in the monthly flood. Reachability analysis cuts the false-positive noise that makes Patch Tuesday triage so slow, by telling you which vulnerable code paths are actually exercised in your environment rather than merely present. Pairing CVSS with EPSS and CISA KEV signals lets you rank the queue by likelihood-of-exploitation, which is exactly the dimension that would have floated CVE-2026-41089 and CVE-2026-41096 to the top of this month's list. For the bugs that do warrant emergency action, a zero-day response workflow and auto-generated fix PRs shorten the path from advisory to deployed patch. None of this prevents the next Netlogon bug; all of it shrinks the time you spend exposed to it.

What we know we don't know

Exploit development timeline. Microsoft rated both 9.8s "Exploitation Less Likely" at release. Memory-corruption RCEs in well-studied protocols have repeatedly beaten that prediction. We do not know whether a public PoC for CVE-2026-41089 or CVE-2026-41096 will surface, or how quickly.
The exact CVE total. Trackers report 118, 120, and 138 for the Microsoft portion depending on inclusion rules. We have anchored on the Tenable (118) and ZDI (138) figures and flagged the range rather than asserting a single number.
Real-world reachability of CVE-2026-41096. The DNS Client bug requires an attacker positioned to answer a victim's query. How exploitable that is in practice depends heavily on each network's resolver hygiene, which is not something the advisory can speak to.