Microsoft Patch Tuesday: AI-Driven Bug Hunting Uncovers 137 New Vulnerabilities

Microsoft released security updates for 137 Common Vulnerabilities and Exposures (CVEs) on May 12, 2026. While the company reported that none of these flaws were known to have been targeted by attackers, the release included 30 vulnerabilities rated as critical, with 14 of those earning a Common Vulnerability Scoring System (CVSS) severity rating of 9.0 or higher.

The volume of vulnerabilities in the May 12 release highlights a shift in how software defects are being identified. Microsoft confirmed It’s utilizing artificial intelligence to uncover bugs, specifically through a system codenamed MDASH. This AI-driven bug hunting tool was responsible for finding 16 of the vulnerabilities addressed in the May 2026 update.

Microsoft announced that MDASH is being made available to a limited number of customers in private preview, placing it alongside other industry tools such as Project Glasswing and Anthropic’s Mythos.

“This month’s release sits on the larger side of a hotpatch month, and we expect releases to continue trending larger for some time,”

Tom Gallagher, VP of engineering at Microsoft Security Response Center

High-Severity Remote Code Execution Risks

Among the most severe flaws addressed is CVE-2026-41096, a critical vulnerability in the Windows DNS Client with a CVSS rating of 9.8. The flaw is a heap-based buffer overflow that could allow for remote code execution (RCE). Exploitation requires no authentication or user interaction. an attacker can trigger the vulnerability by sending a specially crafted DNS response to a vulnerable system, potentially leading to memory corruption.

“Since the DNS Client runs on virtually every Windows machine, the attack surface is enormous,”

Dustin Childs, Zero Day Initiative

“An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise.”

Dustin Childs, Zero Day Initiative

Jack Bicer, vulnerability research director at Action1, emphasized that this CVE requires immediate attention, noting that successful exploitation could result in operational disruption across corporate networks, credential harvesting, and the deployment of ransomware.

Another significant vulnerability, CVE-2026-42898, affects on-premises systems running Microsoft Dynamics 365. This flaw received a CVSS rating of 9.9 and also allows for remote code execution. In this case, any authenticated user can trigger the vulnerability without needing administrative or elevated privileges.

According to Microsoft, an attacker with the necessary permissions could modify the saved state of a process session in Dynamics CRM, causing the system to process that data and unintentionally execute malicious code. This vulnerability is particularly risky because it allows for a scope change, meaning the impact can extend beyond the vulnerable component to other systems.

“Scope changes are pretty rare, so if you’re running Dynamics 365 On-Prem, definitely test and deploy this patch quickly,”

Dustin Childs, Zero Day Initiative

Wormable Flaws and Mitigated Risks

The May 12 update also addresses CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon with a CVSS rating of 9.8. This vulnerability allows an unauthenticated remote attacker to execute code on vulnerable machines by sending a specially crafted network request to a Windows server acting as a domain controller.

Because the flaw can be exploited without credentials or user interaction, it is considered wormable. This makes it a high-priority target for administrators, as the compromise of a domain controller typically results in the compromise of the entire domain.

“Here’s the highest-impact bug that requires immediate patching: a compromised domain controller is a compromised domain,”

Dustin Childs, Zero Day Initiative

Despite the high volume of critical bugs, one vulnerability earned a perfect 10.0 CVSS rating: CVE-2026-42826. This is an information disclosure vulnerability within the Azure DevOps toolchain. However, Microsoft stated that the flaw has already been fully mitigated by the company, and users of the service do not need to take any action.

Microsoft indicated that the disclosure of CVE-2026-42826 was intended to provide transparency regarding the vulnerability, even though it no longer poses a risk to users.