Microsoft Resolves 138 Security Issues, Including DNS and Netlogon RCE Flaws

Microsoft released security updates on Tuesday addressing a total of 138 vulnerabilities across its product ecosystem. None of these flaws are currently known to be publicly disclosed or actively exploited.

Among the vulnerabilities, 30 are classified as Critical, 104 as Important, three as Moderate, and one as Low severity. The majority 61 issues fall under privilege escalation, followed by 32 remote code execution (RCE) vulnerabilities, 15 information disclosure flaws, 14 spoofing issues, eight denial-of-service bugs, six security feature bypasses, and two tampering vulnerabilities.

This month’s updates also include a flaw previously resolved by AMD (CVE-2025-54518, CVSS 7.3). The issue affects Zen 2 processors and stems from improper isolation within the CPU’s operation cache. Exploitation could enable attackers to tamper with instructions executed at different privilege levels, potentially leading to privilege escalation.

Additionally, these fixes coincide with patches for 127 vulnerabilities in Chromium, the open-source browser engine that underpins Microsoft Edge.

One of the most critical issues addressed is CVE-2026-41096 (CVSS 9.8), a heap-based buffer overflow vulnerability in Windows DNS. This flaw could allow an unauthenticated attacker to execute arbitrary code remotely.

According to Microsoft, exploitation involves sending a maliciously crafted DNS response to a vulnerable system. If processed incorrectly by the DNS client, this could result in memory corruption, and under certain conditions, permit remote code execution without requiring authentication.

Microsoft also remediated several other high-risk vulnerabilities, including:

• CVE-2026-42826 (CVSS 10.0): Sensitive data exposure in Azure DevOps enabling unauthorized information disclosure. (No user action required)
• CVE-2026-33109 (CVSS 9.9): Improper access control in Azure Managed Instance for Apache Cassandra, allowing code execution over the network. (No user action required)
• CVE-2026-42898 (CVSS 9.9): Code injection flaw in on-premises Microsoft Dynamics 365 enabling remote execution by an authenticated attacker
• CVE-2026-42823 (CVSS 9.9): Privilege escalation issue in Azure Logic Apps
• CVE-2026-41089 (CVSS 9.8): Stack-based buffer overflow in Windows Netlogon, allowing unauthenticated remote code execution against domain controllers
• CVE-2026-33823 (CVSS 9.6): Authorization weakness in Microsoft Teams exposing sensitive data (no action needed)
• CVE-2026-35428 (CVSS 9.6): Command injection vulnerability in Azure Cloud Shell enabling spoofing (no user action required)
• CVE-2026-40379 (CVSS 9.3): Information disclosure issue in Azure Entra ID enabling spoofing (no action required)
• CVE-2026-40402 (CVSS 9.3): Use-after-free flaw in Hyper-V that could grant SYSTEM-level privileges
• CVE-2026-41103 (CVSS 9.1): Authentication flaw in Microsoft’s SSO plugin for Jira and Confluence allowing attackers to impersonate legitimate users
• CVE-2026-33117 (CVSS 9.1): Authentication bypass vulnerability in Azure SDK
• CVE-2026-42833 (CVSS 9.1): Privilege misuse flaw in Dynamics 365 that enables cross-tenant exploitation
• CVE-2026-33844 (CVSS 9.0): Input validation flaw in Azure Cassandra instances enabling code execution (no action required)
• CVE-2026-40361 & CVE-2026-40364 (CVSS 8.4): Microsoft Word vulnerabilities allowing local code execution without user interaction

Security experts highlighted specific risks. Rapid7’s Adam Barnett noted that CVE-2026-41103 could allow attackers to impersonate users by forging credentials, effectively bypassing Entra ID protections.

Meanwhile, Action1’s Jack Bicer emphasized the severity of CVE-2026-42898, explaining that even low-privileged authenticated attackers could exploit Dynamics 365 to remotely execute arbitrary code. With no user interaction required, this vulnerability could turn application servers into attack platforms.

Bicer further warned that a compromise of Dynamics 365 environments could expose sensitive customer data, financial records, business workflows, and integrated enterprise systems. Given CRM systems often connect with identity services and databases, exploitation could lead to widespread organizational breaches and operational disruption.

Organizations are also being urged to update Windows Secure Boot certificates. The certificates issued in 2011 are scheduled to expire next month, and systems must transition to the 2023 versions before June 26, 2026.

Security experts caution that failure to apply these updates could result in severe boot-level security failures or degraded system protections. Enterprises are strongly advised to ensure all devices adopt the new trust anchors ahead of the deadline.

So far in 2026, Microsoft has already addressed over 500 vulnerabilities, according to Tenable researcher Satnam Narang. This surge underscores a broader industry trend, where vulnerability discovery is accelerating largely driven by artificial intelligence.

Microsoft confirmed that AI-assisted tools are contributing to this increase. In fact, 16 of this month’s vulnerabilities primarily within Windows networking and authentication components were identified using its AI-powered scanning system known as MDASH (multi-model agentic scanning harness).

Tom Gallagher from the Microsoft Security Response Center noted that a larger proportion of vulnerabilities this month were discovered internally, thanks in part to AI-driven research and engineering efforts.

However, Microsoft also warned that this rapid increase in vulnerability discovery is placing greater demands on organizations. It stressed the need for disciplined risk management practices to ensure timely patching and mitigation.

Key recommendations include maintaining up-to-date systems, prioritizing vulnerabilities based on exposure and impact rather than volume, minimizing unnecessary internet exposure, strengthening configurations, eliminating legacy authentication methods, enabling multi-factor authentication, enforcing strict access controls, segmenting networks, and enhancing detection and response capabilities.

Microsoft concluded by emphasizing that while the core principles of cybersecurity remain unchanged, the speed at which they must be applied is increasing. Organizations that adapt to this faster-paced landscape will be better equipped to manage evolving threats.