Patch Tuesday Microsoft: Critical DNS client vulnerability threatens Windows

Security vulnerabilities classified as “critical” by Microsoft affect Azure, M365, Office, SharePoint, Windows, and Word, among others. In many cases, attackers can push malicious code onto computers, thus completely compromising systems.

Admins should ensure that the Windows Update function is active and systems are up-to-date. Otherwise, PCs are vulnerable. So far, there are no reports of attackers exploiting vulnerabilities.

Critical Vulnerabilities

The most alarming is a “critical” vulnerability (CVE-2026-42826) with the highest possible CVSS Score of 10 out of 10 in Azure DevOps. At this point, attackers can access protected information in an unspecified way. Microsoft states that the vulnerability has been patched server-side. Therefore, admins do not need to take any action here.

Further “critical” vulnerabilities impact Azure Managed Instance for Apache Cassandra (CVE-2026-33109), Microsoft Dynamics 365 On-Premises (CVE-2026-41096), and the DNS client in Windows (CVE-2026-41096), among others. In the latter case, remote attackers can trigger memory errors via a crafted DNS request without authentication, allowing malicious code to reach computers. Various Windows 11 and Server editions are impacted.

Detecting Security Vulnerabilities

On this Patch Tuesday, Microsoft has resolved a total of nearly 140 security issues. In a post, the company states that a large portion of the vulnerabilities were discovered with the help of several AI agents.

Further information on the vulnerabilities and affected software can be found in Microsoft's Security Update Guide.

(des)