Microsoft's May Patch Tuesday Fixes 137 Vulnerabilities, 13 Critical – No Zero-Days Exploited

Microsoft has released its May Patch Tuesday update, addressing 137 vulnerabilities across its enterprise products, components, and underlying systems. Despite the high volume of defects, the tech giant reported no actively exploited zero-days in this month’s security release.

Critical Vulnerabilities and High-Risk Flaws

Thirteen of the 137 vulnerabilities were assigned critical CVSS ratings, including:

• CVE-2026-33109 and CVE-2026-42823 – Affecting Microsoft Azure
• CVE-2026-42898 – Affecting Microsoft Dynamics 365 with a 9.9 CVSS score

The company also designated 13 vulnerabilities as more likely to be exploited, while 113 defects were categorized as less likely or unlikely to be exploited.

AI’s Role in Identifying Vulnerabilities

The high volume of vulnerabilities reflects a growing trend researchers have anticipated as artificial intelligence models are increasingly used to uncover previously undetected defects in code. While not all bugs were AI-discovered, many submissions likely involved AI-assisted processes.

“It’s likely they had an AI-related component — even if it was just AI writing the submission.”

Notable Vulnerabilities Highlighted by Experts

Childs emphasized the severity of CVE-2026-41096, describing it as a “nasty-looking bug” in Microsoft Windows DNS that allows unauthorized attackers to execute code remotely. Key concerns include:

• No authentication or user interaction required
• DNS Client runs on virtually every Windows machine, expanding the attack surface
• Attackers influencing DNS responses could achieve unauthenticated remote-code execution across an enterprise

He also flagged CVE-2026-41089, a Windows Netlogon defect enabling unauthenticated remote attackers to run code. Childs called it the “highest-impact bug that requires immediate patching,” warning that a “compromised domain controller is a compromised domain.”

Jack Bicer, director of vulnerability research at Action1, highlighted CVE-2026-42898, the critical vulnerability in Microsoft Dynamics 365:

“With no user interaction required, and the potential to impact systems beyond the vulnerable component’s original security scope, this vulnerability poses serious enterprise risk: an attacker with only basic access could turn a business application server into a remote execution platform.”

Bicer added that compromising Dynamics 365 infrastructure could expose:

• Customer records
• Operational workflows
• Financial information
• Integrated business systems

Since CRM environments often connect with identity services, databases, and enterprise applications, successful exploitation could lead to broader organizational compromise and operational disruption.

Full List of Vulnerabilities Available

The complete list of vulnerabilities addressed in this month’s Patch Tuesday is available via the Microsoft Security Response Center.