Microsoft on Tuesday released patches for 138 security vulnerabilities across its product portfolio, but none are listed as publicly known or under active attack.
Of the 138 defects, 30 were rated critical, 104 were rated important, 3 were rated moderate, and 1 was rated low. As many as 61 vulnerabilities were categorized as privilege elevation bugs, followed by 32 remote code execution, 15 information disclosure, 14 spoofing, eight denial of service, six security feature bypass, and two tampering flaws.
The update list also includes a vulnerability (CVE-2025-54518, CVSS score: 7.3) that was patched by AMD this month. This relates to a case of improper isolation of shared resources in the CPU operation cache of Zen 2-based products, which could allow an attacker to corrupt instructions that are executed at a different privilege level, resulting in privilege escalation.
The patch also adds to the 127 security flaws Google has addressed in Chromium, which forms the basis of Microsoft’s Edge browser.
One of the most severe vulnerabilities patched by Redmond is CVE-2026-41096 (CVSS score: 9.8). This is a heap-based buffer overflow flaw affecting Windows DNS that could allow an unauthorized attacker to execute code over the network.
“An attacker could exploit this vulnerability by sending a specially crafted DNS response to a vulnerable Windows system, which could cause the DNS client to mishandle the response and corrupt memory,” Microsoft said. “In certain configurations, this could allow an attacker to remotely execute code on an affected system without authentication.”
Several defects rated critical and important by Microsoft have also been fixed –
CVE-2026-42826 (CVSS Score: 10.0) – Azure DevOps exposes sensitive information to unauthorized attacker, which allows unauthorized attackers to disclose information via the network. (No customer action required) CVE-2026-33109 (CVSS score: 9.9) – Improper access controls in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code via the network. (No action required by customer) CVE-2026-42898 (CVSS score: 9.9) – Code injection vulnerability in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code via the network. CVE-2026-42823 (CVSS score: 9.9) – Improper access controls in Azure Logic Apps allows an authorized attacker to escalate privileges via the network. CVE-2026-41089 (CVSS score: 9.8) – Stack-based buffer overflow in Windows Netlogon. This allows an unauthorized attacker to execute code over the network without requiring a sign-in or prior access by sending a specially crafted network request to a Windows server acting as a domain controller. CVE-2026-33823 (CVSS Score: 9.6) – Improper authorization in Microsoft Teams allows an authorized attacker to disclose information via the network. (No customer action required) CVE-2026-35428 (CVSS score: 9.6) – Command injection vulnerability in Azure Cloud Shell allows an unprivileged attacker to perform spoofing on the network. (No action required by customer) CVE-2026-40379 (CVSS score: 9.3) – Azure Entra ID leaks sensitive information to an unauthorized attacker, which allows the unauthorized attacker to perform spoofing on the network. (No customer action required) CVE-2026-40402 (CVSS score: 9.3) – User Afterfree in Windows Hyper-V allows an unauthorized attacker to gain SYSTEM privileges and gain access to a Hyper-V host environment. CVE-2026-41103 (CVSS Score: 9.1) – The authentication algorithm in the Microsoft SSO Plugin for Jira & Confluence is incorrectly implemented, which allows an unauthorized attacker to gain unauthorized access to Jira or Confluence as a valid user and perform actions with the same privileges as the compromised account. CVE-2026-33117 (CVSS score: 9.1) – Improper authentication in the Azure SDK allows unprivileged attackers to bypass security features via the network. CVE-2026-42833 (CVSS score: 9.1) – Execution with unnecessary privilege in Microsoft Dynamics 365 (on-premises) allows an authorized attacker to execute code and interact with applications and content in other tenants over the network. CVE-2026-33844 (CVSS score: 9.0) – Improper input validation in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over the network. (No action required by customer) CVE-2026-40361 (CVSS score: 8.4) – A use-after-free vulnerability in Microsoft Office Word allows an unprivileged attacker to execute code locally without user interaction. CVE-2026-40364 (CVSS Score: 8.4) – Type confusion vulnerability in Microsoft Office Word allows an unprivileged attacker to execute code locally without user interaction.
Adam Barnett, lead software engineer at Rapid7, said of CVE-2026-41103, “This critical privilege escalation vulnerability allows an unauthorized attacker to impersonate an existing user and bypass Entra ID by presenting forged credentials.”
Jack Bicer, Director of Vulnerability Research at Action1, described CVE-2026-42898 as a critical flaw that allows an authenticated attacker with low privileges to execute arbitrary code on the network by manipulating process session data within Dynamics CRM.
“This vulnerability poses a significant risk to enterprises because it does not require user interaction and can impact the system beyond the original security scope of the vulnerable component. An attacker with only basic access could turn a business application server into a remote execution platform,” Beisser said.
“A compromise of Dynamics 365 infrastructure can expose customer records, operational workflows, financial information, and integrated business systems. Because CRM environments are often connected to identity services, databases, and enterprise applications, a successful exploit could lead to widespread organizational compromise and operational disruption.”
We also recommend that organizations renew their Windows Secure Boot certificates to 2023 certificates in advance of the expiration of certificates issued in 2011 next month. Microsoft first announced this change in November 2025.
“The most important non-CVE updates include forced deployment of updated secure boot certificates,” said Rain Baker, senior incident response specialist at Nightwing. “Devices that fail to receive these updates by the June 26 deadline will face a ‘catastrophic boot-level security failure’ or degraded security condition. Ensure your entire fleet is successfully rotated to the new trust anchor by the June 26, 2026 deadline.”
More than 500 CVEs to date in 2026
Microsoft has already patched more than 500 CVEs after five months of this year, according to Satnam Nanang, senior staff research engineer at Tenable. This large number of fixes reflects a broader industry trend where vulnerability discovery is reaching new highs, many of which are flagged by artificial intelligence (AI)-powered approaches.
AI-assisted vulnerability discovery is expected to increase the scale of Patch Tuesday releases in the coming months, Microsoft said in a report on Tuesday, adding that 16 of the flaws fixed this month across the Windows networking and authentication stack were identified through a new multi-model AI-driven vulnerability discovery system code-named MDASH (for Multi-Model Agenttic Scan Harness).
“Microsoft discovered a larger percentage of the issues addressed in this month’s releases compared to previous months,” said Tom Gallagher, vice president of engineering for the Microsoft Security Response Center. “Many of these were uncovered through AI investments and research across our engineering and research teams, including the use of Microsoft’s new multi-model AI-powered scanning harness.”
Microsoft also emphasized that the scale and speed of vulnerability discovery driven by AI can increase operational demands, requiring a consistent and disciplined approach to risk management to quickly mitigate and remediate issues in a timely manner.
“Stay current on supported operating systems, products, and patches, and reconsider the speed and consistency of patching,” Gallagher said. “We triage by exposure and impact, not raw numbers.”
Other recommendations outlined by Microsoft include reducing unnecessary internet exposure, improving configuration health, removing traditional authentication, enabling multi-factor authentication (MFA), enforcing strong access controls, segmenting your environment to contain incidents, and investing in detection and response.
“Our efforts to discover and remediate vulnerabilities continue to become faster, more widespread, and more rigorous across the industry,” the tech giant said. “The next thing we encourage is careful consideration of whether the practices that worked well in patched landscapes a few years ago still fit well with where the landscape is headed.”
“The fundamentals haven’t changed. The pace at which we need to adapt has changed, and organizations that adapt will be best positioned for what comes next.”
Source link
