Translated from the original Japanese article
Tech 10 min read

Microsoft May 2026 Patch Tuesday: Netlogon, DNS Client RCE vs ZeroLogon/SIGRed

Microsoft Windows セキュリティ 脆弱性 CVE RCE Active Directory DNS
IkesanContents

TL;DR

Released May 13, 2026 Patch Tuesday — 137 Microsoft CVEs, 30 Critical, no zero-days in active exploitation or public disclosure

What’s at risk Every Windows environment. Netlogon RCE (CVE-2026-41089) targets domain controllers; DNS Client RCE (CVE-2026-41096) targets every Windows host that resolves DNS. Both CVSS 9.8, unauthenticated, network-reachable

How urgent Exploitability Index is Less Likely for Netlogon and Unlikely for DNS Client. Don’t read that as “ignore” — the same call missed SIGRed in 2020. Pair the score with the ZeroLogon and SIGRed precedents

What to patch first Tier 1: domain controllers, Dynamics 365 on-premises (CVSS 9.9). Tier 2: DNS-resolving endpoints, Office/Word RCEs (4 fixes), SharePoint. Tier 3: remaining Critical

Also this month Secure Boot 2011 certificate starts expiring June 2026 — schedule the 2023 cert migration in the same patch window

Microsoft’s May 2026 Patch Tuesday landed with 137 CVEs, 30 rated Critical, and zero zero-days in active exploitation or public disclosure.

What deserves attention before the volume is the two unauthenticated network RCEs: CVE-2026-41089 (Windows Netlogon) and CVE-2026-41096 (Windows DNS Client). Both are CVSS 9.8, with the attack vector AV:N/AC:L/PR:N/UI:N — network, low complexity, no privileges, no user interaction. Microsoft’s Exploitability Index, however, marks Netlogon as Less Likely and DNS Client as Unlikely. Reading priority purely off the CVSS score misses something important.

Both CVEs have well-known historical predecessors in Windows: Netlogon’s is ZeroLogon (CVE-2020-1472), DNS Client’s is SIGRed (CVE-2020-1350). The vulnerability mechanics differ, but the historical comparisons clarify the attack surface and blast radius.

CVE-2026-41089: Netlogon stack-based buffer overflow

CVE-2026-41089 is a stack-based buffer overflow in netlogon.dll, the implementation of the Netlogon Remote Protocol (MS-NRPC).
According to the MSRC advisory, an attacker sending a crafted network request to a Windows server acting as a domain controller can cause Netlogon to mishandle the request and reach code execution without a sign-in or prior access.

A stack-based buffer overflow writes past the boundary of a fixed-size buffer on a function’s stack frame. When the overwrite reaches the return address or an exception handler, control flow jumps to a location chosen by the attacker. Compared with heap overflows (which the DNS Client side uses), stack-side exploitation is the more classic surface, with a well-traveled tradecraft.

Difference from ZeroLogon (CVE-2020-1472)

ZeroLogon was a cryptographic design flaw in the Netlogon authentication protocol itself. AES-CFB8 was being used with an all-zero initialization vector, which let an unauthenticated attacker reset the computer-account password of a domain controller — and from there, own the entire domain. CVSS 10.0, Exploitability Index More Likely, with CISA issuing an emergency directive requiring patching within 48 hours.

CVE-2026-41089 shares the same attack surface (Netlogon) but is a memory corruption bug, not a protocol-level design flaw. The reason a reliable, immediate exploit is harder than for ZeroLogon is that Windows has accumulated runtime mitigations — stack canaries, ASLR, and CFG (Control Flow Guard) — making the path from memory corruption to reliable code execution progressively harder over time.

That said, “implementation bug, so it’s safe” is the wrong read. The attack surface is the domain controller itself, and the blast radius on successful exploitation is comparable to ZeroLogon. Microsoft’s Less Likely call is an estimate of “how hard is it to weaponize,” not “how valuable is the target.”

CVE-2026-41096: DNS Client heap-based buffer overflow

CVE-2026-41096 is a heap-based buffer overflow in the DNS response parser inside dnsapi.dll.
According to the MSRC advisory, an attacker sending a crafted DNS response to a vulnerable Windows system can cause the DNS Client to mishandle the response, leading from memory corruption to code execution.

A heap-based buffer overflow writes past the boundary of a memory region allocated through APIs like HeapAlloc. If the corruption reaches the metadata of an adjacent heap chunk or a function pointer, subsequent heap operations or virtual function calls can be hijacked. Unlike the stack side, heap memory layout is dynamic, and reliable exploitation typically requires a preparation phase called “heap grooming.” That’s part of why the Exploitability Index is set to Unlikely here.

Difference from SIGRed (CVE-2020-1350)

SIGRed was a heap overflow on the Windows DNS Server side — CVSS 10.0 and flagged as wormable. It triggered on malicious DNS responses processed by a server, and the worst-case scenario had corporate DNS server fleets being weaponized as worm-propagation hops.

CVE-2026-41096 is on the DNS Client side, and that’s the most important difference. The attack surface is inverted.

  • SIGRed: DNS server fleets were the target. Few in number, centrally managed, easy for enterprises to patch first.
  • CVE-2026-41096: Every Windows host that resolves DNS is the target. Workstations, servers, jump hosts, build agents — all of them.

The attack entry point is “receiving a malicious DNS response,” which includes (1) application paths that steer queries to attacker domains (links in mail, hostname resolution for embedded image hosts), (2) upstream resolver compromise, and (3) DNS spoofing on the local network. The “DNS is internal, so it’s safe” perimeter assumption doesn’t hold up against an endpoint-side vulnerability.

Reading “Unlikely” / “Less Likely” in the Exploitability Index

Microsoft’s Exploitability Index is a four-level scale.

LabelMeaningOperational reading
DetectedKnown exploit existsPatch immediately, assume attacks are in progress
More LikelyExploit expected within 30 daysPriority patch
Less LikelyExploit possible but unlikely to be reliable soonRoutine patch — keep high-value targets watched
UnlikelyExploitation requires significant researchRoutine deployment — but this label has a multi-year tail

Two things to keep in mind.

First, the Exploitability Index estimates “how quickly a reliable exploit emerges,” not “how bad it would be if one did.” DNS Client RCE being Unlikely doesn’t change the fact that, if an exploit is written, every Windows endpoint is in scope.

Second, Microsoft’s call can be wrong. SIGRed was initially described as “a working public exploit will take time,” yet PoCs appeared right after disclosure. The combination of CVSS 9.8 × Exploitability Unlikely has been misread as “ignorable” before, and that read has played out badly more than once.

Critical distribution among the 137 CVEs

CategoryNotable CVEsType
Windows NetlogonCVE-2026-41089Unauth RCE (CVSS 9.8)
Windows DNS ClientCVE-2026-41096Unauth RCE (CVSS 9.8)
Microsoft OfficeCVE-2026-40358, CVE-2026-40363Local RCE (UAF / heap overflow)
Microsoft WordCVE-2026-40361 (+3 more)Local RCE (UAF)
Microsoft SharePointCVE-2026-40365Authenticated RCE (Site Owner+)
Azure DevOpsCVE-2026-42826RCE CVSS 10.0 (no customer action)
Dynamics 365 on-premisesCVE-2026-42898Authenticated RCE (CVSS 9.9)
Windows Native WiFi Miniport(Critical RCE)RCE
Windows GDI / Graphics(Critical RCE)RCE
Windows Hyper-V(Critical)EoP / Information Disclosure

The four Word RCEs are noteworthy. Memory-corruption fixes in .docx and embedded-object parsing closed together, so organizations modeling email-attachment or SharePoint-shared-document social engineering should prioritize Office-channel deployment.

SharePoint CVE-2026-40365 carries an authentication requirement (Site Owner or higher), so as a remote attack on externally exposed SharePoint, it’s a step below the recent ToolShell wave. But in SharePoint Hybrid setups where Site Owner token hygiene is loose, it remains a practical exploitation path.

On the cloud side, CVE-2026-42826 (Azure DevOps, CVSS 10.0) is marked as no-customer-action — wait for Microsoft to finish the rollout. The Dynamics 365 on-premises CVE-2026-42898 is also Critical but lives in a different operating mode: it’s not SaaS, so you have to patch. Don’t lump “cloud Critical” together with “on-prem Critical.”

Patch priority order

Priority shifts with the environment, but the typical enterprise sequence looks like this.

TierTimingTargetRelevant CVE
Tier 1ImmediateDomain controllersCVE-2026-41089 (Netlogon RCE)
Tier 1ImmediateDynamics 365 on-premisesCVE-2026-42898 (CVSS 9.9)
Tier 2Within the weekWindows endpoints that resolve DNSCVE-2026-41096 (DNS Client RCE)
Tier 2Within the weekOffice / WordCVE-2026-40358 and others
Tier 2Within the weekSharePoint ServerCVE-2026-40365
Tier 3Routine rolloutHyper-V / GDI / WiFi MiniportOther Critical
Tier 3Routine rolloutSecure Boot2023 certificate migration

Tier 1 reasoning: Netlogon RCE targets the DC (domain controller) directly. Even with Exploitability Less Likely, you close it first because the blast radius on success reaches the whole domain. Dynamics 365 on-premises sits at CVSS 9.9 with internal servers as the natural target.

Tier 2 reasoning: DNS Client RCE has the largest device count, so completing rollout takes time. Start broad deployment in parallel with Tier 1 and aim for end-of-week completion. Office side rides whatever Office update channel is already in motion — confirm it caught up. SharePoint drops a step because of the authentication requirement.

Tier 3 reasoning: The remaining Criticals can go through normal WSUS / Intune deployment.

Detection notes

Without a public exploit, IOC-based detection is limited. But the monitoring vantage points worth lining up before something happens are clear.

Netlogon (CVE-2026-41089) side:

  • MS-NRPC (RPC over SMB) traffic to DCs originating from external sources. DC Netlogon traffic should come from intra-domain endpoints; external VPN, cross-tenant, or direct internet origins are anomalous.
  • SYSTEM-privileged processes on the DC spawning children from paths that don’t host netlogon.dll.
  • Spikes in Windows Event Log 4742 (Computer Account Changed) or 5805 (Netlogon authentication failure).

DNS Client (CVE-2026-41096) side:

  • Unusually large TXT, SRV, or NAPTR DNS responses, especially direct UDP/53 responses arriving at internal endpoints from outside.
  • Suspicious child processes from processes loading dnsapi.dll, or dnscache service crashes.
  • Endpoint DNS settings pointing to a resolver you didn’t deploy.

In environments aggregating Sysmon Event ID 22 (DNS query), shifts in query-density to external suspicious domains from a specific endpoint can serve as an early signal.

Secure Boot certificate expiration

This month’s update window includes a non-CVE item that sits separately from vulnerability response: the Secure Boot certificate refresh.
The Secure Boot certificate issued in 2011 starts entering staged expiration in June 2026, and migration to the 2023 certificate is documented in Microsoft Learn.

Unpatched endpoints still boot and still receive regular Windows Updates. What they stop receiving is new protection updates for Windows Boot Manager, the Secure Boot database, the revocation list, and pre-boot components. The impact isn’t “the device stops booting” — it’s “future boot-level protections don’t reach this device.”

The urgency is lower than CVE patching, but when a new generation of UEFI bootkit malware lands, devices left unmigrated won’t see the defensive update reach them. Slot it into the same patch-window cadence as the rest of this release.

References

Related posts: