Microsoft on Tuesday launched patches for 138 security vulnerabilities spanning its product portfolio, though none of them have been listed as publicly identified or beneath energetic assault.
Of the 138 flaws, 30 are rated Important, 104 are rated Necessary, three are rated Average, and one is rated Low in severity. As many as 61 vulnerabilities are categorised as privilege escalation bugs, adopted by 32 distant code execution, 15 info disclosure, 14 spoofing, eight denial-of-service, six security function bypass, and two tampering flaws.
The replace listing additionally features a vulnerability that was patched by AMD (CVE-2025-54518, CVSS rating: 7.3) this month. It pertains to a case of improper isolation of shared assets throughout the CPU operation cache on Zen 2-based merchandise that would enable an attacker to deprave directions executed at a unique privilege degree, probably leading to privilege escalation.
The patches are additionally along with 127 security flaws that Google has addressed in Chromium, which varieties the premise for Microsoft’s Edge browser.
One of the crucial extreme vulnerabilities patched by Redmond is CVE-2026-41096 (CVSS rating: 9.8), a heap-based buffer overflow flaw impacting Home windows DNS that would enable an unauthorized attacker to execute code over a community.
“An attacker may exploit this vulnerability by sending a specifically crafted DNS response to a susceptible Home windows system, inflicting the DNS Consumer to incorrectly course of the response and corrupt reminiscence,” Microsoft stated. “In sure configurations, this might enable the attacker to run code remotely on the affected system with out authentication.”
Additionally fastened by Microsoft are a number of Important- and Necessary-rated flaws –
- CVE-2026-33109 (CVSS rating: 9.9) – An improper entry management in Azure Managed Occasion for Apache Cassandra that enables a licensed attacker to execute code over a community. (Requires no buyer motion)
- CVE-2026-42898 (CVSS rating: 9.9) – A code injection vulnerability in Microsoft Dynamics 365 (on-premises) that enables a licensed attacker to execute code over a community.
- CVE-2026-42823 (CVSS rating: 9.9) – An improper entry management in Azure Logic Apps that enables a licensed attacker to raise privileges over a community.
- CVE-2026-41089 (CVSS rating: 9.8) – A stack-based buffer overflow in Home windows Netlogon that enables an unauthorized attacker to execute code over a community without having to check in or have prior entry by sending a specifically crafted community request to a Home windows server that’s performing as a website controller.
- CVE-2026-33823 (CVSS rating: 9.6) – An improper authorization in Microsoft Groups that enables a licensed attacker to reveal info over a community. (Requires no buyer motion)
- CVE-2026-35428 (CVSS rating: 9.6) – A command injection vulnerability in Azure Cloud Shell that enables an unauthorized attacker to carry out spoofing over a community. (Requires no buyer motion)
- CVE-2026-40379 (CVSS rating: 9.3) – An publicity of delicate info to an unauthorized actor in Azure Entra ID that enables an unauthorized attacker to carry out spoofing over a community. (Requires no buyer motion)
- CVE-2026-40402 (CVSS rating: 9.3) – A user-after-free in Home windows Hyper-V that enables an unauthorized attacker to realize SYSTEM privileges and entry the Hyper-V host atmosphere.
- CVE-2026-41103 (CVSS rating: 9.1) – An incorrect implementation of authentication algorithm in Microsoft SSO Plugin for Jira & Confluence that enables an unauthorized attacker to realize unauthorized entry to Jira or Confluence as a sound person and carry out actions with the identical permissions because the compromised account.
- CVE-2026-33117 (CVSS rating: 9.1) – An improper authentication in Azure SDK that enables an unauthorized attacker to bypass a security function over a community.
- CVE-2026-42833 (CVSS rating: 9.1) – An execution with pointless privileges in Microsoft Dynamics 365 (on-premises) that enables a licensed attacker to execute code over a community and achieve the flexibility to work together with different tenant’s purposes and content material.
- CVE-2026-33844 (CVSS rating: 9.0) – An improper enter validation in Azure Managed Occasion for Apache Cassandra that enables a licensed attacker to execute code over a community. (Requires no buyer motion)
“This essential elevation of privilege vulnerability permits an unauthorized attacker to impersonate an current person by presenting solid credentials, thus bypassing Entra ID,” Adam Barnett, lead software program engineer at Rapid7, stated about CVE-2026-41103.
Jack Bicer, director of vulnerability analysis at Action1, described CVE-2026-42898 as a essential flaw that enables an authenticated attacker with low privileges to run arbitrary code over the community by manipulating course of session information inside Dynamics CRM.
“With no person interplay required, and the potential to influence techniques past the susceptible element’s unique security scope, this vulnerability poses severe enterprise danger: an attacker with solely fundamental entry may flip a enterprise utility server right into a distant execution platform,” Bicer stated.
“Compromise of Dynamics 365 infrastructure can expose buyer data, operational workflows, monetary info, and built-in enterprise techniques. Since CRM environments usually join with id providers, databases, and enterprise purposes, profitable exploitation may result in broader organizational compromise and operational disruption.”
Organizations are additionally suggested to replace Home windows Safe Boot certificates to their 2023 counterparts forward of subsequent month, when the 2011-issued certificates are set to run out. Microsoft first introduced the change in November 2025.
“Probably the most essential non-CVE replace includes the necessary rollout of up to date Safe Boot certificates,” Rain Baker, senior incident response specialist at Nightwing, stated. “Gadgets failing to obtain these updates earlier than the June 26 deadline face ‘catastrophic boot-level security failures’ or degraded security states. Guarantee your whole fleet efficiently rotates to the brand new belief anchors earlier than the June 26, 2026, deadline.”
In line with Satnam Narang, senior employees analysis engineer at Tenable, Microsoft has already patched over 500 CVEs 5 months into the yr. This huge quantity of fixes displays a broader trade development the place vulnerability discovery has scaled new highs, with a piece of them flagged by way of synthetic intelligence (AI)-powered approaches.
Microsoft, in a report printed Tuesday, stated AI-assisted vulnerability discovery is predicted to extend the dimensions of Patch Tuesday releases within the coming months, including 16 of the failings fastened this month throughout the Home windows networking and authentication stack had been recognized via its new multi-model AI-driven vulnerability discovery system, codenamed MDASH (brief for multi-model agentic scanning harness).
“On this month’s launch, a better share of the problems addressed had been found by Microsoft, in comparison with prior months,” Tom Gallagher, vice chairman of engineering at Microsoft Safety Response Heart, stated. “Many of those had been surfaced via AI investments and investigations throughout our engineering and analysis groups, together with using Microsoft’s new multi-model AI-driven scanning harness.”
Microsoft additionally emphasised that the dimensions and pace of vulnerability discovery led to by AI can elevate operational calls for and requires a constant, disciplined method to danger administration in an effort to make sure that points are mitigated shortly and glued in a well timed style.
“Keep present on supported working techniques, merchandise, and patches, and revisit the pace and consistency of your patching cadence,” Gallagher stated. “Triage by publicity and influence, not uncooked rely.”
Different suggestions outlined by Microsoft embrace decreasing pointless web publicity, bettering configuration hygiene, eradicating legacy authentication, enabling multi-factor authentication (MFA), imposing robust entry controls, segmenting environments to comprise incidents, and investing in detection and response.
“The work of discovering and fixing vulnerabilities continues to get sooner, broader, and extra rigorous throughout the trade,” the tech big stated. “What we encourage in flip is a considerate take a look at whether or not the practices that labored nicely for the patching panorama of some years in the past are nonetheless nicely matched to the place the panorama is heading.”
“The basics haven’t modified. The tempo at which they have to be utilized is altering, and the organizations that modify with will probably be those greatest positioned for what comes subsequent.”
