What Happened
Microsoft released its May 2026 Patch Tuesday security update on May 12, patching 138 vulnerabilities across the Windows ecosystem — including 17 rated critical. Two flaws stand out for their potential to compromise enterprise networks at scale: CVE-2026-41089, a remote code execution vulnerability in Windows Netlogon carrying a CVSS score of 9.8, and CVE-2026-41096, a critical RCE in the Windows DNS Client, also rated CVSS 9.8. The Hacker News confirmed no zero-days were disclosed in this batch, but the severity of the top-line flaws makes this one of the most consequential Patch Tuesdays of 2026 so far. CyberSecurityNews noted that the Netlogon and DNS Client flaws echo the impact category of historical bugs like SigRed and Zerologon.
Technical Analysis
CVE-2026-41089: Windows Netlogon RCE (CVSS 9.8)
The Netlogon vulnerability allows an unauthenticated attacker to execute remote code with SYSTEM privileges on affected domain controllers — no user interaction required. Netlogon (MS-NRPC) is the protocol that handles authentication between Windows machines and domain controllers. A successful exploit gives the attacker full control over the domain controller, which in turn means full control over the entire Active Directory forest. Vulert's analysis rates this as the most urgent fix in the May batch. Rapid7 confirmed the attack vector targets the Netlogon RPC interface, and exploitation could allow low-privileged or unauthenticated attackers to escalate to SYSTEM on domain controllers — the same trust boundary that Zerologon (CVE-2020-1472) exploited in 2020.
CVE-2026-41096: Windows DNS Client RCE (CVSS 9.8)
The DNS Client flaw is a remote code execution vulnerability in the Windows DNS client implementation. Because DNS is a core networking service running on virtually every Windows system in an enterprise, exploitation could cascade rapidly across the environment. Infosecurity Magazine quoted Action1 vulnerability research director Jack Bicer: "Because DNS is a core networking service used across enterprise environments, exploitation could impact a large number of systems rapidly." The flaw carries a CVSS 9.8 rating, placing it in the same severity tier as the notorious SigRed (CVE-2020-1350) DNS vulnerability.
The Full Scope
Beyond the two headline RCEs, the May batch includes:
- 17 critical vulnerabilities total, including flaws in Azure DevOps and Dynamics 365
- 4 Word RCE vulnerabilities that could be exploited via malicious documents
- Multiple privilege escalation and information disclosure flaws across Windows components
- Notably, Microsoft's own MDASH AI system discovered and helped fix 16 of the Windows flaws in this batch — a sign that AI-assisted vulnerability discovery is becoming operationally relevant
Who's Affected
- Every organization running Windows domain controllers — CVE-2026-41089 puts Active Directory at risk. If you run AD, your domain controllers are the primary target.
- Any Windows system running the DNS client — CVE-2026-41096 affects workstations and servers alike. DNS is not optional.
- Azure DevOps and Dynamics 365 customers — critical flaws in these services could expose cloud-hosted development pipelines and business applications.
- Organizations that delay patching — historical data shows that Patch Tuesday exploits typically appear in the wild within 30 days of disclosure. The Netlogon and DNS flaws will likely be weaponized faster.
How to Protect Yourself
- Patch domain controllers first. CVE-2026-41089 is the highest-priority fix. If you can only patch one thing today, make it your domain controllers. This is a Zerologon-class flaw — treat it accordingly.
- Apply the DNS Client patch (CVE-2026-41096) to all Windows systems within 48 hours. DNS is everywhere. Don't just patch servers — workstations running the DNS client are also in scope.
- Audit Netlogon RPC exposure. Ensure that Netlogon RPC ports (TCP 135, dynamic RPC ports) are not directly accessible from untrusted networks. Use firewall rules to restrict access to domain controllers.
- Enable Netlogon secure channel signing. If you haven't already enforced secure channel signing for Netlogon (per Microsoft's 2021 guidance after Zerologon), do it now. It adds defense-in-depth even after patching.
- Verify Azure DevOps and Dynamics 365 patches. If you run these services, confirm that the critical CVEs specific to them are applied — cloud service patches sometimes require tenant-level action, not just Microsoft-side fixes.
The Sable Angle
May's Patch Tuesday is a reminder that the most dangerous vulnerabilities aren't always zero-days — they're the critical, network-facing RCEs that sit unpatched on domain controllers for weeks because patching is "disruptive." At Sable, we see this constantly in red team engagements: organizations with mature endpoint detection but stale domain controller patching. A single unpatched Netlogon flaw is a full-domain compromise in under 30 minutes. Our offensive assessments map exactly these trust boundaries — Active Directory attack paths, DNS poisoning surfaces, and the gap between your patch policy and your actual patch reality. If your last AD security assessment was more than 6 months ago, it's time.