During May’s Patch Tuesday, Microsoft released fixes for 137 vulnerabilities in Windows, Azure, Dynamics 365, and other products. Although there are no reports of active exploitation, security researchers warn that several vulnerabilities require immediate attention due to their high impact.
At the same time, Microsoft confirms that AI now plays a major role in detecting security issues. Of the 137 CVEs, 30 were rated “critical.” Fourteen vulnerabilities received a CVSS score of 9.0 or higher. One vulnerability even received the maximum score of 10.0, though Microsoft reports that this specific issue in Azure DevOps has already been resolved on the server side.
Microsoft notes that the number of discovered vulnerabilities has been rising for some time due to the use of automation and AI analysis. According to the company, software components are now being examined faster and on a larger scale than was possible just a few years ago.
In addition, Tom Gallagher, VP of engineering at the Microsoft Security Response Center, announced for the first time an internal AI-driven scanning environment codenamed MDASH. According to SiliconANGLE, this tool helped identify sixteen of the vulnerabilities resolved this month. Microsoft also plans to make MDASH available to customers in a limited private preview.
The company expects that Patch Tuesday releases will consequently become structurally larger. In a statement, the Microsoft Security Response Center notes that organizations should anticipate a faster pace of patches and potentially more frequent interim updates outside the regular schedule.
Critical DNS Vulnerability
One of the most severe vulnerabilities this month is CVE-2026-41096, a remote code execution flaw in the Windows DNS Client with a CVSS score of 9.8. The issue arises from a heap-based buffer overflow and can be exploited via a specially crafted DNS response. Authentication or user interaction is not required.
According to security researchers, the risk is high because virtually all Windows systems use the DNS Client. Attackers could compromise systems on a large scale via malicious DNS responses.
A second vulnerability with a CVSS score of 9.8, CVE-2026-41089 in Windows Netlogon, is also receiving significant attention. This flaw allows code to be executed on Windows domain controllers without credentials via specially crafted network requests. Researchers describe the vulnerability as potentially wormable.
In addition, Microsoft is patching a critical vulnerability in Dynamics 365 on-premises environments. CVE-2026-42898 received a CVSS score of 9.9 and enables remote code execution for authenticated users without elevated privileges.
According to Microsoft, an attacker can cause Dynamics CRM to process manipulated session data, after which malicious code can be executed. Because the issue may have an impact beyond the directly affected component, researchers advise organizations to test and roll out the update quickly.