Patch Tuesday is here, whether you’re ready for it or not. Many of us are still recovering from last month’s CVE avalanche. If you missed out on the fun, last month Microsoft released 163 CVEs, which is well above average. The working theory is that Claude Mythos and Project Glasswing contributed to the considerable influx of reported vulnerabilities. While this is just a theory for now, today’s release could give us a glimpse at what’s to come.
Severity
Total exploits patched: 118
Critical patches: 16
Important: 102
Moderate: 0
Low: 0
Vulnerability impact
Remote code execution: 29
Elevation of privilege: 57
Information disclosure: 9
Spoofing: 7
Tampering: 2
Denial of service: 8
Feature bypass: 6
Availability
Publicly disclosed: 0 (hooray!)
Actively exploited: 0 (yippie!)
Some highlights (or lowlights)
CVE-2026-42898: Kicking things off with our highest rated CVE of the month, coming in at a 9.9. This remote code execution vulnerability targets Microsoft Dynamics 365 On-Premises, so if you're still running Dynamics on your own hardware rather than in the cloud, this one's for you. No active exploitation in the wild yet, but a 9.9 RCE is not something you want to leave sitting in your backlog.
CVE-2026-42823: Our second 9.9 this month is an elevation of privilege vulnerability in Azure Logic Apps. If you use Logic Apps to automate your workflows, an attacker exploiting this could elevate their privileges in ways that would make your automated processes significantly less yours. Interestingly, Microsoft only rated this one Important rather than Critical, which feels a little generous given the score. But maybe it’s because it’s an elevation of privilege exploit and not an RCE. Microsoft said it would notify impacted customers, so if you receive an Azure Service Health notification, congrats, you’ve got some work to do.
CVE-2026-41089: Coming in at a 9.8 is this Windows Netlogon remote code execution vulnerability. Netlogon is the service responsible for authenticating users and machines in a domain environment, so needless to say, an RCE here is gonna be a bad time. Network attack vector, no authentication required, no user interaction needed. The full trifecta of things you don't want to see on a CVE disclosure. Luckily, no active exploitation yet, but don't wait around for that to change.
CVE-2026-41096: And finally, also checking in at a 9.8 is a remote code execution vulnerability targeting the Windows DNS Client. If Netlogon being vulnerable made you nervous, the DNS Client being vulnerable should have you reaching for your energy drink. Much like CVE-2026-41089, this one requires no authentication and no user interaction, and the attack vector is network. Two core Windows networking components with near-perfect CVSS scores in the same release is a rough Tuesday by any measure.
Additional notes
Here are a few additional takeaways for this Patch Tuesday release.
Microsoft Office had a rough month, picking up seven critical RCE CVEs across Office and Word (CVE-2026-40358, 40361, 40363, 40364, 40366, 40367, 42831), all rated between 7.8 and 8.4. Office just can't catch a break. If your organization runs Office (let’s be real, it does), prioritize this cluster.
SharePoint Server accumulated six RCE vulnerabilities this month (CVE-2026-33110, 33112, 35439, 40357, 40365, 40403), all rated 8.8. On-prem SharePoint admins have had a difficult few months, and this one doesn't let up.
Windows Hyper-V (CVE-2026-40402) came in at a 9.3 Critical elevation of privilege. If you ditched VMware for Hyper-V, just think of all the money you saved. It’ll help as you get this patched.
Wrapping up
This one is tough to call. At 118 CVEs, it's a step down from last month's 163 but still probably above average. We'll have to wait and see if Project Glasswing is really impacting Microsoft's release volume. Or, better yet, automate your Windows patch deployments with PDQ Connect, grab some tacos, and watch everyone else worry about what may or may not happen in the future.
