Microsoft's May 2026 Patch Tuesday addressed 137 security vulnerabilities across its software ecosystem, including several rated critical. The most severe, CVE-2026-41089, is a stack-based buffer overflow in Windows Netlogon that could allow unauthenticated attackers to execute code with SYSTEM privileges on domain controllers. With a CVSS score of 9.8 and no requirement for user interaction, the flaw poses a significant risk to enterprise networks. Microsoft has not observed active exploitation, but security firm Rapid7 warns the technical conditions make reliable exploit development feasible.

Another critical flaw, CVE-2026-41096, affects the Windows DNS client and could enable remote code execution. Though the client runs with reduced privileges, attackers could chain it with other vulnerabilities to escalate access. Additionally, a critical elevation of privilege vulnerability, CVE-2026-41103, impacts organizations using the Microsoft Entra ID authentication plugin with self-hosted Atlassian Jira or Confluence. Microsoft considers exploitation of this flaw more likely, raising urgency for patching.

The update also highlights the growing role of Microsoft’s internal WARP team in discovering vulnerabilities, suggesting advancements in AI-assisted research. Meanwhile, .NET 9 STS reaches end of support on November 10, 2026, following a six-month extension. Organizations are urged to prioritize patching domain controllers and assess plugin integrity, especially where patch links point to older versions.