MICROSOFT on Tuesday patched 138 security vulnerabilities across its product portfolio, with 30 rated Critical, 104 Important, three Moderate and one Low. Of these, 61 are privilege escalation bugs and 32 are remote code execution flaws, including CVE-2026-41096, a CVSS 9.8 heap-based DNS overflow that could allow an unauthenticated attacker to run code over a network.
The update also covers several high‑severity flaws in Azure, Windows Netlogon, Dynamics 365 and other components, and Microsoft notes that one vulnerability involved AMD’s CVE-2025-54518, linked to Zen 2 CPU resource isolation. Also highlighted are two notable fixes in Azure Logic Apps and Azure Entra ID, each enabling privilege or information disclosure under certain conditions, and a Windows Hyper-V user-after-free in another CVE.
According to Satnam Narang, senior staff research engineer at Tenable, Microsoft has already patched over 500 CVEs five months into the year, reflecting AI-assisted vulnerability discovery and a broader industry trend highlighted by Microsoft’s MDASH approach. Microsoft additionally urges organisations to rotate to updated Secure Boot certificates ahead of the 26 June 2026 deadline to avoid boot-level security failures, and to maintain patching cadence by prioritising exposure and impact.