CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Critical RCE and EoP vulnerabilities in Microsoft products addressed in May Patch Tuesday

First reported
Last updated
2 unique sources, 3 articles

Summary

Hide ▲

Microsoft’s May 2026 Patch Tuesday addressed 138 CVEs, including 30 Critical-rated vulnerabilities, across its product portfolio, with 16 flaws discovered using the AI-driven MDASH system. Key flaws include CVE-2026-41089 (Windows Netlogon stack-based buffer overflow, CVSS 9.8), CVE-2026-41096 (Windows DNS client RCE, CVSS 9.8), and CVE-2026-42898 (Microsoft Dynamics 365 RCE), alongside newly disclosed issues such as CVE-2026-33824 (double-free in ikeext.dll, CVSS 9.8) and CVE-2026-33827 (race condition in tcpip.sys, CVSS 8.1). The update also includes non-CVE changes requiring organizations to rotate Windows Secure Boot certificates to 2023 versions by June 26, 2026, to prevent boot-level security failures. Microsoft emphasized the growing role of AI in vulnerability discovery, noting that AI-assisted approaches like MDASH are expected to scale Patch Tuesday releases in the coming months. Earlier phases confirmed 120 CVEs addressed, 17 classified as Critical, and 16 discovered via the MDASH system, with specific focus on CVE-2026-41089, CVE-2026-41096, and CVE-2026-42898 as high-impact RCE and EoP flaws.

Timeline

  1. 13.05.2026 11:15 3 articles · 1d ago

    Microsoft Patch Tuesday May 2026 includes critical RCE and EoP fixes across core services

    Microsoft published security updates addressing 138 CVEs (30 Critical, 104 Important), including previously identified high-impact flaws CVE-2026-41089 (Windows Netlogon stack-based buffer overflow, CVSS 9.8), CVE-2026-41096 (Windows DNS client RCE, CVSS 9.8), and CVE-2026-42898 (Microsoft Dynamics 365 RCE). The updates also include 13 additional Critical-rated vulnerabilities such as CVE-2026-42826 (Azure DevOps information disclosure, CVSS 10.0), CVE-2026-33109 (Azure Managed Instance for Apache Cassandra RCE, CVSS 9.9), and CVE-2026-40402 (Windows Hyper-V user-after-free enabling SYSTEM privilege escalation). Non-CVE changes require organizations to update Windows Secure Boot certificates to 2023 versions by June 26, 2026, to avoid boot-level security failures. This article clarifies that the AI-driven MDASH system identified 16 of the vulnerabilities addressed this month, including CVE-2026-33824 (double-free in ikeext.dll, CVSS 9.8) and CVE-2026-33827 (race condition in tcpip.sys, CVSS 8.1), and describes MDASH’s agentic architecture comprising over 100 specialized AI agents across frontier and distilled models, operating as a structured pipeline for autonomous discovery, validation, and proof of exploitable defects in Windows codebases.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft May 2026 Patch Tuesday addresses 120 vulnerabilities without disclosed zero-days

Microsoft’s May 2026 Patch Tuesday released fixes for 120 vulnerabilities across its ecosystem, including 17 Critical flaws, with no zero-days disclosed. The updates, delivered via Windows 11 cumulative updates KB5089549 and KB5087420 for versions 23H2, 24H2, and 25H2, addressed remote code execution (RCE), elevation of privilege (EoP), information disclosure, denial of service (DoS), and spoofing vulnerabilities in Windows, Office, Word, Excel, SharePoint, and the DNS Client. The remediation effort excluded patches for Microsoft Mariner, Azure, Copilot, Teams, Partner Center, and 131 Google Chromium-based Edge flaws addressed separately by Google. Notable fixes included CVE-2026-35421 (Windows GDI RCE via malicious EMF files), CVE-2026-40365 (SharePoint Server RCE), and CVE-2026-41096 (Windows DNS Client RCE). While the primary focus was security, the updates also introduced non-security improvements such as Xbox mode integration, expanded File Explorer archive support, haptic feedback for input devices, and enhanced batch file security controls.

Open in new tab

Rising threat from autonomous LLM-driven exploitation amid persistent human validation gaps

Security experts warn that large language models (LLMs) like Anthropic’s Mythos and OpenAI’s GPT-5.5 are accelerating autonomous offensive capabilities, enabling rapid discovery and exploitation of vulnerabilities at scale across platforms and infrastructure. While LLM-driven tools can autonomously generate exploits, chain attack sequences, and adapt mid-engagement, their practical effectiveness remains limited by human validation requirements. Human expertise is still essential to assess exploitability, determine real-world impact, and filter false positives, creating a widening gap between discovery and exploitable outcomes. Defenders face an escalating challenge as the time from vulnerability discovery to exploitation drops from months to hours, necessitating immediate shifts to proactive security practices such as shifting left, multilayer defenses, and rapid patching to mitigate the threat.

Open in new tab

Microsoft March and April 2026 Patch Tuesdays Address Multiple Zero-Days and Critical Flaws

Microsoft’s multi-month Patch Tuesday campaign continues with the April 2026 release addressing 167 security vulnerabilities in Windows and related software, including two actively exploited zero-days (CVE-2026-32201 in SharePoint Server and CVE-2026-33825 in Microsoft Defender). Nearly 60% of the patched flaws are elevation-of-privilege bugs, marking the highest proportion in eight months, while eight Critical vulnerabilities were addressed, including unauthenticated remote code execution flaws in Windows IKE Service Extensions (CVE-2026-33824, CVSS 9.8) and secure tunneling components (CVE-2026-33827, CVSS 8.1). Following the April updates, threat actors are now exploiting two additional unpatched Microsoft Defender zero-days—RedSun and UnDefend—alongside the patched CVE-2026-33825 (BlueHammer). Exploitation activity has been observed since April 10, 2026, with RedSun and UnDefend PoCs deployed on April 16, 2026, featuring hands-on-keyboard techniques such as whoami /priv, cmdkey /list, and net group commands. Huntress confirmed real-world exploitation and took steps to isolate compromised systems to prevent post-exploitation damage. Threat actors have also been observed chaining these flaws with other vulnerabilities to achieve full endpoint control. Microsoft issued out-of-band emergency patches for CVE-2026-40372, a critical ASP.NET Core privilege escalation vulnerability in the ASP.NET Core Data Protection cryptographic APIs. The flaw enables unauthenticated attackers to gain SYSTEM privileges by forging authentication cookies, stemming from a regression in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 packages. Microsoft recommends updating to version 10.0.7 and rotating the DataProtection key ring to fully remediate. The April updates were distributed through Windows 11 cumulative updates KB5083769 (for versions 25H2/24H2) and KB5082052 (for 23H2), changing build numbers to 26200.8246 (25H2), 26100.8246 (24H2), and 22631.6936 (23H2). Windows 10 Enterprise LTSC and ESU participants received the April fixes via KB5082200, updating to build 19045.7184 (Windows 10) or 19044.7184 (Windows 10 Enterprise LTSC 2021).

Open in new tab

Patch Tuesday: Over 60 Vendors Release Security Fixes for Critical Vulnerabilities

On February 2026 Patch Tuesday, over 60 software vendors released security updates addressing critical vulnerabilities in their products. Microsoft patched 59 flaws, including six actively exploited zero-days in Windows components. Adobe, SAP, Intel, and Google also issued fixes for critical vulnerabilities in their respective products. The updates cover a wide range of software, including operating systems, cloud platforms, and network devices. The vulnerabilities addressed include security bypass, privilege escalation, denial-of-service (DoS), code injection, and missing authorization checks. Some of the flaws could lead to full database compromise and unauthorized remote function calls. The patches are crucial for maintaining the security of systems and preventing potential exploitation by threat actors.

Open in new tab

Microsoft February 2026 Patch Tuesday Addresses 6 Zero-Days and 59 Flaws

Microsoft's February 2026 Patch Tuesday addresses 59 vulnerabilities, including 6 actively exploited zero-days and 3 publicly disclosed flaws. The updates include fixes for 5 critical vulnerabilities, with three being security feature bypass flaws in various Microsoft products. The zero-days span components such as Windows Shell, MSHTML Framework, Microsoft Word, Desktop Window Manager, Windows Remote Access Connection Manager, and Windows Remote Desktop Services. Microsoft issued an out-of-band patch for one of the zero-days, CVE-2026-21514, highlighting its urgency. The updates also cover a range of other vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing flaws. Additionally, Microsoft has begun rolling out updated Secure Boot certificates to replace expiring 2011 certificates. Other vendors, including Adobe, BeyondTrust, CISA, Cisco, Fortinet, Google, n8n, and SAP, have also released security updates or advisories.

Open in new tab