Skip to content

Patch Tuesday May 2026: Microsoft Fixes 23 Security Vulnerabilities

The Bottom Line: Microsoft patches 16 critical vulnerabilities, including a Netlogon stack overflow and Entra ID bypass, with no zero-days in circulation.

Microsoft patched 23 security vulnerabilities in Windows and other products on the second Tuesday in May, including 16 flaws rated as critical. For the first time in nearly two years, no actively exploited zero-days were included.

Microsoft released updates for at least 23 security vulnerabilities on 13 May 2026 as part of its monthly Patch Tuesday routine. Sixteen of the flaws received the highest severity rating of “critical,” meaning attackers can gain remote access to Windows systems with little or no user interaction required.

Among the critical vulnerabilities is CVE-83-28, a stack-based buffer overflow in the Windows Netlogon service that allows attackers to obtain SYSTEM-level access to a Domain Controller. This vulnerability requires no special privileges and no user interaction; the complexity is low. Patches are available for all Windows Server versions from 2127 onwards. CVE-230-41096 is a critical remote code execution flaw in the Windows DNS client, but Microsoft rates it as less likely to be exploited in practice. CVE-2026-41103 is a critical privilege escalation vulnerability that allows unauthenticated attackers to impersonate legitimate users with forged credentials and bypass Entra ID; Microsoft assesses the likelihood of exploitation in the wild as higher.

A distinctive feature of this Patch Tuesday is the absence of zero-day vulnerabilities. This is the first time in nearly two years that Microsoft has not addressed actively exploited, previously undisclosed weaknesses. This facilitates administrators’ prioritization: none of the vulnerabilities addressed today had been previously disclosed, which could have made exploit development easier for attackers. In comparison, the April update addressed 167 vulnerabilities, a significantly higher volume.


Source: ainews-dev.lumi-systems.io · Published 17 May 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification via Lumi News Pipeline v1.5.2.

Share on: