Microsoft releases uncommon zero-day free Patch Tuesday replace
Microsoft has addressed round 140 newly found frequent vulnerabilities and exposures (CVEs) in its Might Patch Tuesday replace, however for the primary time in a very long time, the newest month-to-month drop accommodates no zero-day flaws, that means that not one of the points in scope have been actively exploited or publicly disclosed.
However whereas a much less panic-inducing drop will likely be welcomed by safety groups around the globe, the Might 2026 Patch Tuesday replace accommodates virtually 20 important severity flaws that may inevitably draw the eye of menace actors within the coming days and weeks.
Jack Bicer, Action1 director of vulnerability analysis, mentioned: “Though the absence of zero-days is a optimistic signal, the excessive variety of important vulnerabilities – significantly in comparison with current months – means organisations ought to nonetheless transfer rapidly to judge and deploy updates throughout affected programs.”
This month’s replace can also be significantly vital because it heralds a important Safe Boot certificates expiration deadline on 26 June, a couple of weeks from now. Units that fail to obtain up to date Safe Boot certificates – which at the moment are rolling out – face doubtlessly catastrophic failures or as-yet-undiscovered safety flaws that will show not possible to repair.
“The Might 2026 replace cycle is a high-stakes bridge to the 26 June certificates expiration deadline, making fleet-wide rotation to new belief anchors the month’s absolute precedence,” mentioned Rain Baker, senior incident response specialist at Nightwing’s ShadowScout staff.
“For many who haven’t patched for final month’s releases for the Home windows Shell and Microsoft Defender bypass flaws, it’s crucial that safety groups give these the very best precedence,” added Baker.
Bugs abounding
Amongst a number of the important updates issued this month is a repair for a Home windows DNS Consumer distant code execution (RCE) flaw tracked as CVE-2026-41096. This vulnerability stems from a heap-based buffer overflow situation in Home windows NetLogon and will allow an unauthenticated actor to take over the goal system by sending it a malicious DNS response.
“As a result of DNS is a core networking service used throughout enterprise environments, exploitation might influence a lot of programs quickly,” mentioned Action1’s Bicer.
“Profitable assaults might result in widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption throughout company networks.
Bicer added: “This CVE requires fast consideration contemplating its severity score, network-based assault vector, no authentication necessities, and no person interplay. DNS-related vulnerabilities are particularly harmful as a result of they aim foundational community companies which can be broadly uncovered throughout enterprise infrastructure.”
Additionally drawing consideration this night is CVE-2026-42898, one other RCE difficulty, this one in on-prem variations of Microsoft Dynamics 365, which bears a standard vulnerability scoring system (CVSS) rating of 9.9. Once more, this difficulty requires no person interplay and since it will possibly influence programs past the unique safety scope of the weak part, carries an excessive danger to enterprises.
Earlier assaults on Dynamics 365 infrastructure have uncovered essential, privileged information, and since CRM environments plug into so many different essential programs, profitable exploitation might result in wholesale compromise.
In the meantime, Automox chief expertise officer Jason Kikta weighed in on CVE-2026-41089, an RCE flaw in Home windows Netlogon, and CVE-2026-40402, an elevation of privilege (EoP) vulnerability in Hyper-V.
“CVE-2026-41089 – CVSS 9.8 out of 10 – is a stack-based buffer overflow in Home windows Netlogon,” defined Kikta. “An attacker sends a crafted community request to a site controller. No authentication required. No person interplay required. In the event you’ve been doing this lengthy sufficient, the outline language sounds sadly acquainted.
“I might watch out drawing a direct line to Zerologon. The underlying bug is a stack overflow, not a crypto protocol flaw, and Microsoft has not labeled this one as wormable. The mechanism is completely different, however the blast radius remains to be ugly if you’re speaking about pre-auth code execution on a site controller.”
The Hyper-V difficulty could be exploited by a low-privileged account inside a visitor digital machine (VM) to execute code on the host with system-level privileges. Kikta warned that one compromised visitor might function a pivot level for each different VM on the identical host, and the host material into the cut price. Hosted desktop environments and shared virtualisation platforms are prone to be swiftly focused.
“Multi-tenant VDI, on-premises virtualisation with untrusted workloads, or any Hyper-V host operating friends you do not absolutely management. Identical-week, same-day patch relying on what’s on prime of it,” Kikta suggested.
Patch apocalypse?
Missing although it’s in zero-days, Redmond’s newest meaty replace will do little to assuage the issues of onlookers alarmed on the supposedly earth-shattering vulnerability discovery capabilities of Anthropic’s Claude Mythos frontier AI mannequin.
Chris Goettl, vice chairman of safety product administration at Ivanti, mentioned that these issues have been being taken critically by many key software program suppliers and different tech companies which can be changing into much more aggressive of their patching in response to the adjustments of the previous few weeks.
“Oracle introduced a brand new launch cadence beginning in Might 2026 to handle the acceleration of vulnerability detection launched by Mythos and different AI safety fashions; month-to-month Vital Safety Patch Replace (CSPUs) will fill within the two-month hole between their quarterly Vital Patch Replace (CPU),” he mentioned.
“Apple is one other early participant in Undertaking Glasswing and has seen a current spike within the variety of exposures resolved. They sometimes common round 20 CVEs per iOS safety replace [but] for his or her most up-to-date replace on Might 11, there’s a spike of 52 CVEs resolved. Throughout the 11 Apple updates, the CVE counts vary from 25 on the low finish to 52 on the excessive finish and Apple backported adjustments all the way in which to iPhone 6s and iOS 15. Whereas there are usually not actively exploited vulnerabilities, there are quite a lot of updates to handle.”
In the meantime, Mozilla, the backers of the Firefox browser, which is claimed to have had over 270 vulnerabilities recognized after Claude Mythos was utilized to it, has additionally moved to a extra aggressive weekly cadence for its safety updates because the launch of Firefox 150.0.0 in April 2026 – model 150.0.3 of Firefox dropped earlier at this time (12 Might).
