Windows DNS Client heap-buffer overflow — RCE via malicious DNS response (CVSS 9.8)

cve · CVE-2026-41096

Coverage timeline

first 2026-05-13 → last 2026-05-13

Briefs

1 distinct

Sources cited

38 hosts

Sections touched

action_items, trending_vulns

Co-occurring entities

see Related entities below

Story timeline

2026-05-13CTI Daily Brief — 2026-05-13
trending_vulnsMay 2026 Patch Tuesday; MDASH-discovered.
2026-05-13CTI Daily Brief — 2026-05-13
action_itemsAction item referencing in-brief detail.

Where this entity is cited

trending_vulns1
action_items1

Source distribution

attack.mitre.org13 (20%)
helpnetsecurity.com5 (8%)
nvd.nist.gov3 (5%)
theregister.com3 (5%)
access.redhat.com2 (3%)
bleepingcomputer.com2 (3%)
kaspersky.com2 (3%)
malwarebytes.com2 (3%)
other33 (51%)

Related entities

Google Threat Intelligence Group AI Threat Tracker (May 2026) — first AI-generated zero-day exploit ITW; AI-augmented malware (CANFAIL, LONGSTREAM, PROMPTFLUX, HONESTCUE); state-actor Gemini abuse (UNC2814, APT45, APT27, UNC5673)
annual-reportannual-report:gtig-ai-threat-tracker-may-2026×1
Microsoft Dynamics 365 On-Premises — authenticated code injection with scope change (CVSS 9.9)
cveCVE-2026-42898×1
Microsoft MDASH — multi-model agentic vulnerability-discovery harness, 16 Windows CVEs found in network-stack kernel components
toolresearch:microsoft-mdash-2026×1
Microsoft SSO Plugin for Jira/Confluence — Entra ID credential forgery (CVSS 9.1, Exploitation More Likely)
cveCVE-2026-41103×1
Windows Netlogon stack-buffer overflow — unauthenticated remote RCE on domain controllers (CVSS 9.8, May 2026 Patch Tuesday)
cveCVE-2026-41089×1

External references

NVD · cve.org · CISA KEV

All cited sources (65)

Items in briefs about Windows DNS Client heap-buffer overflow — RCE via malicious DNS response (CVSS 9.8) (1)

CVE-2026-41089 / CVE-2026-41096 / CVE-2026-41103 / CVE-2026-42898 — Microsoft May 2026 Patch Tuesday (120+ CVEs, no zero-days)

From CTI Daily Brief — 2026-05-13 · published 2026-05-13 · view item permalink →

Microsoft shipped roughly 120 CVE fixes in the May 2026 cumulative updates (source counts vary 118–138 depending on whether developer-tools and Azure-only items are included); ZDI counts ~30 Critical, none under active exploitation at release (Tenable, 2026-05-12; Krebs on Security, 2026-05-12; ZDI, 2026-05-12). CVE-2026-41089 (Windows Netlogon, CVSS 9.8, CWE-121 stack buffer overflow): unauthenticated remote attacker over the network reaches the domain-controller Netlogon RPC endpoint; Microsoft marks "Exploitation Less Likely" but ZDI flags the pattern as wormable-candidate. CVE-2026-41096 (Windows DNS Client, CVSS 9.8, CWE-122 heap overflow in dnsapi.dll): a crafted DNS response from a MitM or rogue resolver yields code execution as NetworkService on every Windows host; defender exposure is anywhere a host might receive an attacker-influenced DNS reply. CVE-2026-41103 (Microsoft SSO Plugin for Jira/Confluence, CVSS 9.1, "Exploitation More Likely"): unauthenticated attacker forges an Entra ID credential to sign in to self-managed Atlassian; affects public-sector DevSecOps stacks using Microsoft's Entra-ID auth plugin. CVE-2026-42898 (Dynamics 365 On-Premises, CVSS 9.9): authenticated code injection with scope change — a rare privilege-boundary violation in this product family. Four Microsoft Word RCEs (CVE-2026-40361 / CVE-2026-40364 / CVE-2026-40366 / CVE-2026-40367, CVSS 8.4 each) have the Preview Pane as an attack vector and two are rated "Exploitation More Likely". MITRE ATT&CK mappings: T1210 Exploitation of Remote Services (Netlogon), T1071.004 Application Layer Protocol: DNS (DNS Client), T1078.004 Cloud Accounts (Entra forgery). Detection concepts: monitor Netlogon authentication-pattern anomalies (4624 Logon Type 3 to DCs from unexpected internal sources, paired with 4769 ticket-request anomalies); alert on outbound DNS to non-corporate resolvers from DC and member hosts; audit Atlassian SSO plugin version inventory; disable Outlook Preview Pane as an interim mitigation for Word RCEs. Hardening: prioritise DCs first (Netlogon is on the DC boundary); inventory dnsapi.dll patch state across the fleet; inventory self-managed Atlassian deployments and apply the SSO plugin update before the next work week.