Microsoft's May 2026 Patch Tuesday landed on May 13 with a headline that sounds reassuring: no zero-days. It is the first Patch Tuesday since June 2024 without a flaw that was actively exploited in the wild or publicly disclosed before release.
Do not let that mislead you.
Two vulnerabilities this month have CVSS scores of 9.8, require no authentication, and target surfaces so fundamental to Windows that patching is not optional - it is urgent.
CVE-2026-41096: Windows DNS Client, CVSS 9.8
Every Windows machine runs the DNS Client service. It translates domain names into IP addresses, and it runs automatically, constantly, in the background of every endpoint and server in your environment.
CVE-2026-41096 is a heap-based buffer overflow in this service. An attacker who can influence DNS responses - through a man-in-the-middle position on the local network, a rogue DNS server, or DNS poisoning - can send a specially crafted response to a vulnerable Windows system and trigger arbitrary code execution with no user interaction and no authentication required.
The attack surface is, practically speaking, every Windows machine on your network.
Microsoft says exploitation is "unlikely." Security practitioners should treat that as a floor estimate. The DNS Client runs on endpoints, servers, domain controllers, and cloud VMs alike. An attacker with internal network access and the ability to influence DNS responses - a realistic position for any post-initial-access actor - has a direct path to unauthenticated code execution across your Windows estate.
Talos's May 2026 Patch Tuesday analysis includes Snort SIDs for this CVE. Pull those rules if you run Snort or Cisco Firepower.
CVE-2026-41089: Windows Netlogon, CVSS 9.8
CVE-2026-41089 is a stack-based buffer overflow in Windows Netlogon - the authentication service that domain controllers use to verify user and machine identities across the network. An attacker can send a specially crafted network request to a domain controller and execute arbitrary code on it, again without authentication.
If DNS Client RCE hits every Windows endpoint, Netlogon RCE hits the crown jewels: domain controllers. A compromised DC is game over for Active Directory-based environments.
What else is on the patch list
Beyond the two headline CVEs, May 2026 Patch Tuesday includes four Microsoft Word RCE flaws (all triggered by opening a malicious file), CVE-2026-35421 (Windows GDI RCE via a crafted Enhanced Metafile opened in Paint), and a Wi-Fi Miniport driver RCE. Source count varies by methodology: BleepingComputer reports 120 Microsoft-authored CVEs; The Hacker News and Vulert count 138 when including associated packages. Either way, 29-30 are rated Critical.
What to do
Apply the May 12, 2026 cumulative update through Windows Update or WSUS. Prioritize internet-facing systems and domain controllers first. If you run Snort or Firepower, add the Talos SIDs for CVE-2026-41096 and CVE-2026-41089 now, before patching is complete across the estate. Segment and monitor any networks where DNS response integrity cannot be guaranteed - which in practice means any environment that hasn't deployed DNSSEC end-to-end.
"Exploitation unlikely" from Microsoft is an initial assessment, not a permanent state. These CVEs have everything attackers look for: high impact, wide surface, no authentication requirement. The only question is how fast weaponized proof-of-concept code appears. Patch before you find out the answer.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to talk through patch prioritization for your environment.