Microsoft addresses 137 vulnerabilities in May’s Patch Tuesday, including 13 rated critical

Microsoft addressed another triple-digit batch of vulnerabilities cutting across its various enterprise products, components and underlying systems. Yet despite the high number of defects, the vendor reported no actively exploited zero-days in this month’s Patch Tuesday update.

Thirteen of the 137 vulnerabilities Microsoft disclosed were assigned critical CVSS ratings, including a pair of vulnerabilities affecting Azure — CVE-2026-33109 and CVE-2026-42823 — and CVE-2026-42898 in Microsoft Dynamics 365 with 9.9 CVSS scores. 

The company designated 13 vulnerabilities as more likely to be exploited, and 113 defects as less likely or unlikely to be exploited.

The high volume of vulnerabilities reflects a growing trend researchers have been anticipating as artificial intelligence models are deployed to find previously uncovered defects in code. 

While not all of these bugs were found by AI, it’s likely they had an AI-related component — even if it was just AI writing the submission,” Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, wrote in a blog post Tuesday.

Childs was especially intrigued by CVE-2026-41096, which he described as a “nasty-looking bug” in Microsoft Windows DNS that allows unauthorized attackers to run code remotely. 

“No authentication or user interaction needed, and since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. An attacker with a position to influence DNS responses could achieve unauthenticated remote-code execution across your enterprise,” he added. 

Childs also described CVE-2026-41089, a Windows Netlogon defect that allows unauthenticated remote attackers to run code, as the “highest-impact bug that requires immediate patching,” adding that a “compromised domain controller is a compromised domain.”

Jack Bicer, director of vulnerability research at Action1, called out CVE-2026-42898, the critical vulnerability affecting Microsoft Dynamics 365. 

“With no user interaction required, and the potential to impact systems beyond the vulnerable component’s original security scope, this vulnerability poses serious enterprise risk: an attacker with only basic access could turn a business application server into a remote execution platform,” he said in a blog post.

“Compromise of Dynamics 365 infrastructure can expose customer records, operational workflows, financial information, and integrated business systems. Since CRM environments often connect with identity services, databases, and enterprise applications, successful exploitation could lead to broader organizational compromise and operational disruption,” Bicer added.

The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.