Microsoft Patch Tuesday May 2026: DNS RCE on Every Windows Machine, Wormable Netlogon

Microsoft's May 2026 Patch Tuesday — released May 12 — fixes 120 vulnerabilities across Windows, SharePoint, Office, and related products. The patch contains no zero-days, which is the first time that has been true since June 2024. But the absence of actively exploited zero-days does not mean this is a light month: it contains two CVSS 9.8 remote code execution vulnerabilities that security teams need to treat as wormable-priority patches. CVE-2026-41096 is a DNS Client RCE that affects every Windows device. CVE-2026-41089 is a Netlogon RCE that can compromise an entire Active Directory domain from a single unauthenticated network request to a domain controller.

Patch these two before everything else. Then everything else.

CVE-2026-41096 — Windows DNS Client RCE, CVSS 9.8

CVE-2026-41096 is a heap-based buffer overflow in the Windows DNS Client service. The attack vector: an attacker sends a specially crafted DNS response to a vulnerable system. No authentication is required. No user interaction is required. CVSS 9.8.

The attack surface is the entire enterprise. The Windows DNS Client service runs on essentially every Windows machine — workstations, servers, domain controllers, Azure VMs, every Windows endpoint that resolves hostnames. To exploit it, an attacker needs a position from which they can influence DNS responses received by target machines. That includes:

• MitM position on the network: An attacker already on the network segment can intercept DNS queries and respond with crafted packets
• Rogue DNS server: If a target machine can be made to query an attacker-controlled server (via DHCP poisoning, router compromise, or misconfigured DNS), the attack path is open
• Compromised upstream DNS: Any DNS resolver in the resolution chain that has been compromised can serve malicious responses

The practical implication: a single network-adjacent attacker can potentially chain CVE-2026-41096 across every unpatched Windows device on a flat network segment. Security researchers have described the attack surface as "SIGRed-vibes" — a reference to CVE-2020-1350, the 2020 Windows DNS Server RCE that was also CVSS 10 and similarly affected all Windows DNS infrastructure.

The Windows DNS Client is distinct from the Windows DNS Server. CVE-2026-41096 affects clients — meaning workstations and servers that make DNS queries — not just DNS servers that answer them. The population of affected devices is therefore dramatically larger than a DNS Server vulnerability.

Patch: Windows cumulative update for May 12, 2026. Update priority: treat as critical for all Windows devices. Workarounds are not practical at this attack surface scale.

CVE-2026-41089 — Windows Netlogon RCE, CVSS 9.8

CVE-2026-41089 is a stack-based buffer overflow in the Windows Netlogon service. The attack: an unauthenticated remote attacker sends a specially crafted network request to a Windows server acting as a domain controller. Code execution results in the context of the Netlogon service.

Security researchers have described CVE-2026-41089 as "Zerologon-energy" — a reference to CVE-2020-1472 (Zerologon), the 2020 vulnerability that allowed complete domain compromise from zero authentication in under three seconds. The comparison is apt: both are Netlogon vulnerabilities, both are unauthenticated, and both have the domain controller as the target. A compromised domain controller is a compromised domain — every credential, every machine, every service in the Active Directory forest.

What makes CVE-2026-41089 potentially wormable: the Netlogon service is exposed on domain controllers to all machines that need to authenticate to the domain. In environments where domain controllers have network access to other domain controllers (the standard AD replication topology), a worm exploiting this vulnerability on one DC can potentially spread to others without further human interaction.

Talos Intelligence and ZDI have both flagged this as requiring immediate patching on all domain controllers before other Patch Tuesday remediation. The framing from multiple security researchers: if you patch nothing else this month, patch this.

Patch: Windows Server cumulative update for May 12, 2026. Patch all domain controllers immediately. Patch all Windows Servers immediately after. Workstations carry less risk from this specific CVE (they run Netlogon client-side, not the server-side service) but should still be patched.

The Rest of the Critical Pile

120 CVEs is a large month even without zero-days. The other headline items:

5 SharePoint RCEs: Multiple remote code execution vulnerabilities in SharePoint Server 2016, 2019, and Subscription Edition. SharePoint RCEs are historically high-value for attackers — SharePoint servers are often internet-accessible, contain sensitive documents, and have deep integration into Office 365 environments. Prioritise patching internet-accessible SharePoint deployments immediately.

4 Word RCEs: Remote code execution vulnerabilities triggered by opening specially crafted Word documents. The standard caveat applies: these require user interaction (opening a malicious file), making them lower-urgency than CVE-2026-41096 and CVE-2026-41089 — but still critical for any environment where staff open email attachments.

DNS Client vs DNS Server: CVE-2026-41096 is a client vulnerability. Microsoft also patched DNS Server vulnerabilities this month — patch both.

No Hyper-V guest-to-host escape in the final CVE list: Early social media posts suggested a Hyper-V escape this month. The final CrowdStrike and Talos analyses do not confirm a guest-to-host escape in the final patch set. If you saw that claim circulating, it was not in the final May 2026 Patch Tuesday release.

No Zero-Days: What That Actually Means

For the first time since June 2024, Microsoft's Patch Tuesday contains no zero-days — no CVEs that were already known and exploited before the patch was released.

This is meaningfully good news, but it does not mean this is a low-priority patch cycle. Security teams sometimes treat "no zero-days" as permission to delay patching. For CVE-2026-41096 and CVE-2026-41089, that logic is wrong. The speed from patch release to working exploit development for CVSS 9.8 vulnerabilities with public descriptions has shrunk to days in 2026 — in some cases hours. The SharePoint CVE-2026-32201 (from April 2026 Patch Tuesday) still has 1,300+ unpatched servers online as of this week. The pattern of "no zero-day today" becoming "actively exploited" within 30 days is well established.

Patch CVE-2026-41096 and CVE-2026-41089 this week, not next sprint.

Patch Priority Order

1. All domain controllers: CVE-2026-41089 (Netlogon CVSS 9.8 wormable)
2. All Windows devices: CVE-2026-41096 (DNS Client CVSS 9.8, every device)
3. Internet-accessible SharePoint: 5 RCEs, historically targeted
4. All Windows Servers: Remaining server-class vulnerabilities
5. Workstations and endpoints: Full cumulative update for Word RCEs and remaining CVEs

Key Takeaways

• CVE-2026-41096 DNS Client RCE CVSS 9.8: Heap buffer overflow in Windows DNS Client; no auth, no user interaction; affects every Windows device; attacker needs DNS response influence (MitM, rogue server, compromised upstream); "SIGRed-vibes" attack surface
• CVE-2026-41089 Netlogon RCE CVSS 9.8: Stack buffer overflow in Netlogon; unauthenticated; targets domain controllers; wormable across DC topology; "Zerologon-energy" — a compromised DC is a compromised domain
• 120 total CVEs, no zero-days: First zero-day-free Patch Tuesday since June 2024; no zero-days does not mean low urgency for the CVSS 9.8 pair
• 5 SharePoint RCEs, 4 Word RCEs: Patch internet-accessible SharePoint deployments immediately after domain controllers
• Patch order: DCs first (CVE-2026-41089) → all Windows (CVE-2026-41096) → SharePoint → remaining servers → workstations
• No Hyper-V escape confirmed: Early social media claims were not in the final release

For the PAN-OS RCE patched last week, read CVE-2026-0300 PAN-OS RCE: No Auth, CISA KEV, Patch May 13. For the BeyondTrust PAM RCE with 10,600 exposed instances, read CVE-2026-1731: BeyondTrust Pre-Auth RCE.