|
|
PATCH TUESDAY · MAY 2026
|
|
Microsoft dropped a brutal May cycle: unauthenticated RCE in both Windows DNS and Netlogon, each scoring CVSS 9.8. If you manage domain controllers, those two are your top priority tonight. Beyond the Microsoft pile, Fortinet has a 9.8 on FortiSandbox, and there are 17 more across Hyper-V, Azure, Dynamics, and third-party libraries worth reading through before you plan your weekend.
|
|
|
|
CVE-2026-6664
CVSS 7.5
EPSS 0.04%
|
HIGH
|
An integer overflow in PgBouncer's network packet parser lets a remote attacker send a crafted packet that could crash the connection pooler or potentially corrupt memory. PgBouncer typically sits in front of PostgreSQL and handles every client connection, so a crash here takes your database offline for every app behind it.
Affects: Anyone running PgBouncer 1.25.1-1 on Azure Linux 3.0
| |
Patch this week.
Update the azl3 pgbouncer package to the latest patched version via tdnf or your Azure Linux update channel.
|
NVD
MSRC
Ref 1
|
|
CVE-2026-43249
CVSS 8.8
EPSS 0.02%
|
HIGH
|
A race condition in the Xen 9pfs frontend driver lets a local attacker with access to a Xen guest trigger a use-after-free by calling the cleanup function concurrently. This can lead to privilege escalation or a guest-to-host escape on Xen-based virtualization setups. If you're not running Xen paravirtualized guests with 9pfs shares, you're not exposed.
Affects: Anyone running Azure Linux 3.0 kernel 6.6.138.1-1 on Xen-based hypervisors with 9pfs enabled
| |
Patch this week.
Update the azl3 kernel package to the latest patched version and reboot the affected hosts.
|
NVD
MSRC
|
|
CVE-2026-42151
CVSS 7.5
EPSS 0.01%
|
HIGH
|
Prometheus exposes Azure AD OAuth client secrets through its configuration API. Anyone who can query that API endpoint can grab the secret and use it to authenticate as the Prometheus service account against Azure AD. If your Prometheus config API is reachable by untrusted users or exposed to the network, treat the affected client secrets as compromised.
Affects: Anyone running Telegraf 1.31.0-19 on Azure Linux 3.0 or Prometheus 2.37.9-7 on CBL Mariner 2.0 with Azure AD remote write configured
| |
Patch this week.
Update the affected telegraf or prometheus packages, then rotate any Azure AD client secrets that were configured for remote write.
|
NVD
MSRC
|
|
CVE-2026-8177
CVSS 7.5
EPSS 0.02%
|
HIGH
|
XML::LibXML for Perl reads beyond allocated heap memory when it encounters XML node names with truncated UTF-8 sequences. An attacker who can feed crafted XML to a Perl application using this library could crash the process or potentially leak heap contents. This matters if you have any Perl services or scripts parsing untrusted XML input.
Affects: Anyone running perl-XML-LibXML 2.0209-2 on Azure Linux 3.0, especially if Perl apps parse untrusted XML
| |
Patch this week.
Update the perl-XML-LibXML package via `tdnf update perl-XML-LibXML` on affected Azure Linux hosts.
|
NVD
MSRC
|
|
CVE-2026-39820
CVSS 7.5
EPSS 0.04%
|
HIGH
|
Go's net/mail package has a quadratic blowup when parsing comments in email headers. An attacker can send a crafted email header that causes the parser to burn CPU for a very long time, effectively denying service to any Go application that parses mail. This affects Go itself plus anything built with it, including GCC's Go toolchain on the affected systems.
Affects: Anyone running Go 1.25.9-1 or 1.26.2-1 on Azure Linux 3.0, or any Go-based services that parse email headers on those systems
| |
Patch this week.
Update the golang packages via `tdnf update golang` on affected Azure Linux 3.0 hosts, and rebuild any Go binaries that use net/mail.
|
NVD
MSRC
|
|
CVE-2026-40357
CVSS 8.8
|
HIGH
|
SharePoint deserializes untrusted data, letting an authenticated attacker execute arbitrary code on the server over the network. Any user with legitimate SharePoint access can trigger this. If you run on-prem SharePoint, this is a serious RCE that only requires a low-privilege account to pull off.
Affects: Anyone running on-prem Microsoft SharePoint Server
| |
Patch within 24 hours.
Apply the latest SharePoint security update from Microsoft's July 2026 Patch Tuesday release via Windows Update or WSUS.
|
NVD
Ref 1
|
|
CVE-2026-42898
CVSS 9.9
|
CRITICAL
|
An authenticated attacker can inject and execute arbitrary code on your Dynamics 365 on-prem server over the network. At CVSS 9.9, this is about as bad as it gets for a post-auth bug: one compromised low-privilege account could mean full server takeover. No reports of wild exploitation yet, but the attack surface is wide for anyone running on-prem Dynamics.
Affects: Anyone running Microsoft Dynamics 365 on-premises
| |
Patch immediately.
Apply the latest Dynamics 365 on-premises cumulative update from Microsoft as soon as it's available.
|
NVD
Ref 1
|
|
CVE-2026-42823
CVSS 9.9
|
CRITICAL
|
An authenticated user in Azure Logic Apps can exploit broken access controls to escalate their privileges over the network. CVSS 9.9 signals near-total impact. If an attacker already has a foothold in your Azure tenant, they could use this to gain control well beyond their assigned role.
Affects: Teams running Azure Logic Apps in any Azure subscription
| |
Patch immediately.
Check the Azure portal for service-managed updates to Logic Apps, and confirm the fix is applied in your tenant. If you run Logic Apps in an ISE (Integration Service Environment), verify the patch is deployed there too.
|
NVD
Ref 1
|
|
CVE-2026-41096
CVSS 9.8
|
CRITICAL
|
An unauthenticated attacker can trigger a heap-based buffer overflow in the Windows DNS service and execute code remotely. No credentials needed, no user interaction. CVSS 9.8. If your DNS servers face the network (and they do), this is a top-priority patch.
Affects: Windows sysadmins running the Windows DNS Server role on any supported Windows Server version
| |
Patch immediately.
Apply the relevant cumulative update for your Windows Server version via Windows Update or WSUS tonight.
|
NVD
Ref 1
|
|
CVE-2026-41089
CVSS 9.8
|
CRITICAL
|
An unauthenticated attacker can exploit a stack-based buffer overflow in the Windows Netlogon service to run code remotely. CVSS 9.8 with no auth required. If you remember the Zerologon era, you know how critical Netlogon bugs are: domain controllers are the primary target here.
Affects: Windows sysadmins running Active Directory domain controllers on any supported Windows Server version
| |
Patch immediately.
Patch all domain controllers first. Apply the latest cumulative update via WSUS or Windows Update, then restart and verify replication health.
|
NVD
Ref 1
|
|
CVE-2026-40402
CVSS 9.3
|
CRITICAL
|
A use-after-free bug in Windows Hyper-V lets an unauthenticated local attacker escalate privileges. CVSS 9.3 is unusually high for a local bug, which likely means a guest-to-host escape. If you run Hyper-V, a compromised VM could break out and own the host.
Affects: Anyone running Windows Hyper-V hosts, including Azure Stack HCI and Windows Server virtualization environments
| |
Patch immediately.
Apply the latest cumulative update to all Hyper-V hosts and schedule a maintenance reboot as soon as possible.
|
NVD
Ref 1
|
|
CVE-2026-40379
CVSS 9.3
|
CRITICAL
|
Azure Entra ID (formerly Azure AD) leaks sensitive information to unauthenticated attackers, enabling spoofing over the network. CVSS 9.3. The practical risk: an attacker could impersonate identities or forge tokens in your tenant. This is an identity-plane bug, which makes it dangerous even if your apps are otherwise well-configured.
Affects: Every Azure tenant using Entra ID (which is effectively everyone on Microsoft 365 and Azure)
| |
Patch immediately.
Check the Azure Service Health dashboard and Microsoft's advisory for tenant-side mitigations or configuration changes. If Microsoft has issued a service-side fix, confirm it's active in your tenant.
|
NVD
Ref 1
|
|
CVE-2026-42833
CVSS 9.1
|
CRITICAL
|
An authenticated attacker can exploit excessive privileges in Dynamics 365 on-premises to execute code over the network. CVSS 9.1. This is the second critical Dynamics 365 on-prem code execution bug this cycle. A user who should only have read access could run code on your server.
Affects: Anyone running Microsoft Dynamics 365 on-premises
| |
Patch immediately.
Apply the latest Dynamics 365 on-premises cumulative update. If you're already patching for CVE-2026-42898, confirm this CVE is also covered by the same update.
|
NVD
Ref 1
|
|
CVE-2026-41103
CVSS 9.1
|
CRITICAL
|
The Microsoft SSO Plugin for Jira and Confluence has a broken authentication implementation that lets an unauthenticated attacker escalate privileges remotely. CVSS 9.1. If you use this plugin to federate Atlassian logins through Microsoft, an attacker could bypass auth entirely and gain elevated access to your Jira or Confluence instance.
Affects: Teams using the Microsoft SSO Plugin for Atlassian Jira or Confluence (on-premises or Data Center)
| |
Patch immediately.
Update the Microsoft SSO Plugin for Jira and Confluence to the latest version from the Atlassian Marketplace or Microsoft's advisory.
|
NVD
Ref 1
|
|
CVE-2026-33117
CVSS 9.1
|
CRITICAL
|
A broken authentication mechanism in the Azure SDK lets an unauthenticated attacker bypass security features over the network. CVSS 9.1. If your applications use the Azure SDK for auth, an attacker could potentially skip authentication checks entirely. The blast radius depends on what your app protects, but the SDK is everywhere.
Affects: Developers and DevOps teams running applications that use the Azure SDK for authentication
| |
Patch within 24 hours.
Update all Azure SDK packages in your applications to the latest fixed versions. Check your dependency manifests (NuGet, pip, npm) and rebuild/redeploy affected services.
|
NVD
Ref 1
|
|
CVE-2026-41613
CVSS 8.8
|
HIGH
|
A session fixation bug in Visual Studio Code lets an unauthenticated attacker escalate privileges over the network. CVSS 8.8. Practically, an attacker could fix a session token and trick a developer into using it, then hijack their VS Code session. This likely requires some social engineering or network positioning to pull off.
Affects: Developers using Visual Studio Code
| |
Patch this week.
Update VS Code to the latest version. On most installs, this happens automatically: go to Help > Check for Updates to confirm.
|
NVD
Ref 1
|
|
|
