For the first time in months, May's Patch Tuesday contains no actively exploited zero-day vulnerabilities. No CVEs were being exploited or publicly disclosed at the time of release. Security teams can take a measured breath, but not a long one — the release includes 31 critical vulnerabilities, nearly double the typical monthly count, including a CVSS 9.9 in Microsoft Dynamics 365 and a CVSS 9.8 in Windows Netlogon.
As Action1's director of vulnerability research noted, the absence of zero-days is positive, but the high number of critical vulnerabilities means organizations should still move quickly.
The CVSS 9.9: Dynamics 365
CVE-2026-42898 — Microsoft Dynamics 365 Remote Code Execution. This on-premises Dynamics 365 vulnerability scores 9.9 because it requires no user interaction and can affect systems beyond the original security scope of the vulnerable component. CRM environments integrate with many other critical business systems, so successful exploitation could cascade well beyond the initial compromise. Organizations running on-premises Dynamics 365 should treat this as their top priority.
The CVSS 9.8: Windows Netlogon
CVE-2026-41089 — Windows Netlogon Remote Code Execution. A stack-based buffer overflow in the Netlogon protocol — the same protocol targeted by the Zerologon vulnerability (CVE-2020-1472) in 2020. Netlogon is fundamental to Active Directory authentication, meaning this vulnerability puts the identity infrastructure itself at risk. No user interaction required. Any domain-joined network is a potential target.
Other Critical Highlights
Sixteen of the 31 critical CVEs are remote code execution vulnerabilities spanning Microsoft Office, Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Dynamics 365, SharePoint, Windows GDI, Graphics Component, Netlogon, and Windows DNS Client.
A Hyper-V elevation of privilege vulnerability (CVE-2026-40402) allows VM escape scenarios — any organization using Hyper-V for multi-tenant or security boundary isolation should prioritize this fix.
The Windows Native WiFi Miniport Driver vulnerability (CVE-2026-32161) is a use-after-free exploitable by an unauthorized attacker over an adjacent network via a race condition. This is particularly relevant for organizations with open wireless networks or shared office spaces.
The CopyFail Linux Vulnerability
Worth noting beyond Microsoft's own fixes: CVE-2026-31431, dubbed "CopyFail," is an AI-discovered elevation of privilege vulnerability in Linux that has been present since 2017. A simple proof-of-concept allows a standard user to obtain root privileges. Major Linux distributions released patches in early April. If your environment includes Linux endpoints managed alongside Windows, verify those patches are deployed.
Deployment Recommendations
The absence of zero-days makes this month more suitable for standard deployment timelines, but 31 critical CVEs is not a month to delay. Prioritize Dynamics 365 (CVE-2026-42898) and Netlogon (CVE-2026-41089) first, then Hyper-V and the WiFi driver. The high critical count means automated patch prioritization based on your actual product inventory — not blanket deployment — will save significant time.
After four consecutive months of zero-days (December through March) and two months of update regressions (January and April), May's clean release is a welcome reprieve. Use it to catch up on any backlog from the chaotic start to 2026.