Back Issues This Week → Current Issue → Popular →

Microsoft published 137 vulnerabilities on May 2026 Patch Tuesday with no known public exploitation or disclosure. Critical vulnerabilities include CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon with CVSS 9.8 that could grant SYSTEM privileges on domain controllers, and CVE-2026-41096, a critical RCE in the Windows DNS client.

Additionally, CVE-2026-41103 affects the Microsoft Entra ID authentication plugin for JIRA and Confluence, allowing unauthorized users to impersonate existing users. Microsoft has also provided patches for 133 browser vulnerabilities separate from the main Patch Tuesday count, and announced a six-month extension for .NET 9 STS support, moving the end of support date to November 10, 2026.