Patch Tuesday May 2026: DNS and Netlogon RCEs hit 9.8, Hyper-V guest escape, plus 2 Dynamics 9.9s

An integer overflow in PgBouncer's network packet parser lets a remote attacker send a crafted packet that could crash the connection pooler or potentially corrupt memory. PgBouncer typically sits in front of PostgreSQL and handles every client connection, so a crash here takes your database offline for every app behind it.

Included because

network-reachable; common database infrastructure component; no authentication required to reach the parser

Affected estate

PgBouncer 1.25.1-1 on Azure Linux 3.0

How to check

Run `pgbouncer --version` or `tdnf list installed pgbouncer` on your Azure Linux hosts.

Action

Update PgBouncer via `tdnf update pgbouncer` and restart the service.

Urgency

Patch this week

Why it matters

A crash in PgBouncer drops all pooled database connections, causing an outage for every application using that pooler.

Source

Azure Linux CVE tracker

A race condition in the Xen 9pfs frontend driver lets a local attacker with access to a Xen guest trigger a use-after-free by calling the cleanup function concurrently. This can lead to privilege escalation or a guest-to-host escape on Xen-based virtualization setups. If you're not running Xen paravirtualized guests with 9pfs shares, you're not exposed.

Included because

high CVSS 8.8; local privilege escalation or guest escape; Xen virtualization environments

Affected estate

Azure Linux 3.0 systems running kernel 6.6.138.1-1 with Xen 9pfs frontend in use

How to check

Run `uname -r` to check the kernel version and `lsmod | grep 9pfs` to see if the Xen 9pfs module is loaded.

Action

Update the kernel via `tdnf update kernel` and schedule a reboot.

Urgency

Patch this week

Why it matters

A use-after-free in a hypervisor-facing driver can lead to guest escape, compromising the host and all other guests.

Source

Azure Linux CVE tracker

An unauthenticated attacker can execute arbitrary code on FortiSandbox by sending crafted HTTP requests. No credentials, no user interaction, just a network path to the management interface. This is a CVSS 9.8 and affects both on-prem FortiSandbox appliances and FortiSandbox Cloud/PaaS across a wide range of versions.

Included because

unauthenticated; internet-facing management interface; CVSS 9.8; RCE; common security product

Affected estate

FortiSandbox on-prem (4.4.0 through 4.4.8, 5.0.0 through 5.0.1), FortiSandbox Cloud (5.0.2 through 5.0.5), FortiSandbox PaaS (all listed versions from 21.3 through 5.0.1)

How to check

Log into the FortiSandbox GUI or CLI and run `get system status` to confirm the firmware version.

Action

Upgrade to the fixed firmware version listed in Fortinet's advisory. As an interim step, block HTTP access to the management interface from untrusted networks.

Urgency

Patch immediately

Why it matters

Unauthenticated RCE on a security appliance gives an attacker a foothold inside your network and access to all files submitted for sandboxing.

Source

Fortinet PSIRT advisory

Prometheus exposes Azure AD OAuth client secrets through its configuration API. Anyone who can query that API endpoint can grab the secret and use it to authenticate as the Prometheus service account against Azure AD. If your Prometheus config API is reachable by untrusted users or exposed to the network, treat the affected client secrets as compromised.

Included because

credential exposure; network-accessible API; Azure AD service accounts at risk

Affected estate

Telegraf 1.31.0-19 on Azure Linux 3.0 and Prometheus 2.37.9-7 on CBL Mariner 2.0

How to check

Run `tdnf list installed telegraf prometheus` or check package versions with your package manager. Confirm whether Azure AD remote write OAuth is configured in your Prometheus or Telegraf config.

Action

Update the packages via tdnf, then rotate any Azure AD OAuth client secrets that may have been exposed.

Urgency

Patch this week

Why it matters

Leaked OAuth client secrets let an attacker impersonate your monitoring stack against Azure AD, potentially gaining write access to downstream systems.

Source

Azure Linux CVE tracker

XML::LibXML for Perl reads beyond allocated heap memory when it encounters XML node names with truncated UTF-8 sequences. An attacker who can feed crafted XML to a Perl application using this library could crash the process or potentially leak heap contents. This matters if you have any Perl services or scripts parsing untrusted XML input.

Included because

network-reachable if parsing untrusted XML; heap memory disclosure risk; common Perl library

Affected estate

perl-XML-LibXML 2.0209-2 on Azure Linux 3.0

How to check

Run `tdnf list installed perl-XML-LibXML` or `perl -MXML::LibXML -e 'print $XML::LibXML::VERSION'` on your hosts.

Action

Update the package via `tdnf update perl-XML-LibXML`.

Urgency

Patch this week

Why it matters

Out-of-bounds reads can crash services or leak sensitive data from process memory when parsing attacker-controlled XML.

Source

Azure Linux CVE tracker

Go's net/mail package has a quadratic blowup when parsing comments in email headers. An attacker can send a crafted email header that causes the parser to burn CPU for a very long time, effectively denying service to any Go application that parses mail. This affects Go itself plus anything built with it, including GCC's Go toolchain on the affected systems.

Included because

denial of service; network-reachable if parsing email; common language runtime; multiple affected packages

Affected estate

Azure Linux 3.0 hosts with golang 1.25.9-1 or 1.26.2-1, gcc 13.2.0-7, python-tensorboard 2.16.2-6, or tensorflow 2.16.1-11 installed

How to check

Run `go version` on your hosts and `tdnf list installed golang gcc python-tensorboard tensorflow` to check installed versions.

Action

Update all affected packages via tdnf. Rebuild statically linked Go binaries that import net/mail.

Urgency

Patch this week

Why it matters

A single crafted email header can pin a CPU core and hang your Go service, making this an easy denial-of-service vector.

Source

Azure Linux CVE tracker

An authenticated user on the Ivanti Endpoint Manager web console can exploit a SQL injection to achieve full remote code execution on the EPM server. You need valid credentials, but any console user will do. Given Ivanti's track record of these bugs being targeted quickly after disclosure, don't sit on this one.

Included because

authenticated but low-barrier; RCE; CVSS 8.8; Ivanti products are frequent targets; endpoint management is high-value infrastructure

Affected estate

Ivanti Endpoint Manager 2024 (base, SU1, SU2, SU3) and all earlier versions before 2024 SU6

How to check

Open the EPM console and check Help > About, or query the registry at HKLM\SOFTWARE\LANDesk\ManagementSuite for the installed version and service update level.

Action

Download and install Ivanti Endpoint Manager 2024 SU6 from the Ivanti support portal.

Urgency

Patch within 24 hours

Why it matters

RCE on your endpoint management server gives an attacker control over every managed endpoint in your environment.

Source

Ivanti security advisory

SharePoint deserializes untrusted data, letting an authenticated attacker execute arbitrary code on the server over the network. Any user with legitimate SharePoint access can trigger this. If you run on-prem SharePoint, this is a serious RCE that only requires a low-privilege account to pull off.

Included because

authenticated but low privilege needed; RCE; CVSS 8.8; SharePoint is widely deployed and stores sensitive data

Affected estate

On-premises Microsoft SharePoint Server (all supported versions until patched)

How to check

Open SharePoint Central Administration > Upgrade and Migration > Check product and patch installation status, or run `Get-SPFarm | Select BuildVersion` in the SharePoint Management Shell.

Action

Apply the July 2026 SharePoint cumulative update from Microsoft Update or download it from the Microsoft Update Catalog.

Urgency

Patch within 24 hours

Why it matters

Authenticated RCE on SharePoint gives an attacker a foothold on your intranet file and collaboration server, with access to all stored documents.

Source

Microsoft Security Response Center

A command injection bug in M365 Copilot lets an unauthenticated attacker tamper with Copilot responses or actions over the network. The CVSS is 7.4 with a tampering impact, meaning an attacker could manipulate what Copilot returns to users. This is a cloud-side issue, so the fix is on Microsoft's end, but you should verify your tenant is current.

Included because

unauthenticated; network-reachable; widely deployed M365 feature; command injection

Affected estate

Any Microsoft 365 tenant with M365 Copilot enabled

How to check

Check the Microsoft 365 admin center Message Center for advisories related to this CVE and confirm service health status.

Action

Monitor Microsoft's advisory for server-side patch deployment confirmation. Review Copilot usage logs for anomalous prompt injection or response tampering.

Urgency

Monitor and patch

Why it matters

Command injection in Copilot could let an attacker influence AI-generated responses, leading to data tampering or social engineering at scale.

Source

Microsoft Security Response Center

HireFlow v1.2 has textbook SQL injection in both its login and search pages. An attacker can bypass authentication entirely with something as simple as `admin'--` in the username field, or dump the whole database (including plaintext or hashed credentials) through UNION injection on the search endpoint. No authentication needed. If this app is internet-facing, assume it's already been found by scanners.

Included because

unauthenticated; internet-facing; CVSS 9.8; trivial to exploit; full database compromise; authentication bypass

Affected estate

HireFlow v1.2, specifically the /login and /search endpoints

How to check

Check the application version in HireFlow's about page or deployment configuration. Test the /login endpoint with a single quote in the username field to confirm the vulnerability (in a safe testing environment).

Action

Upgrade HireFlow past v1.2. If no fix exists, take it offline or restrict access. Rotate all credentials stored in the HireFlow database, as they may already be compromised.

Urgency

Patch immediately

Why it matters

Unauthenticated SQL injection lets an attacker dump your entire user database and log in as any user, including admins.

Source

NVD

An authenticated attacker can inject and execute arbitrary code on your Dynamics 365 on-prem server over the network. At CVSS 9.9, this is about as bad as it gets for a post-auth bug: one compromised low-privilege account could mean full server takeover. No reports of wild exploitation yet, but the attack surface is wide for anyone running on-prem Dynamics.

Included because

CVSS 9.9; network-exploitable; code execution; common enterprise product

Affected estate

Microsoft Dynamics 365 on-premises deployments, all versions until patched.

How to check

Check the Dynamics 365 version in Settings > About, or query the MSCRM_CONFIG database for the current build number.

Action

Apply the latest Dynamics 365 on-premises security update from Microsoft.

Urgency

Patch immediately

Why it matters

Any authenticated user can run arbitrary code on the server, which means a single compromised account can own your Dynamics tier.

Source

Microsoft Security Advisory

An authenticated user in Azure Logic Apps can exploit broken access controls to escalate their privileges over the network. CVSS 9.9 signals near-total impact. If an attacker already has a foothold in your Azure tenant, they could use this to gain control well beyond their assigned role.

Included because

CVSS 9.9; privilege escalation; network-exploitable; cloud service

Affected estate

Azure Logic Apps, both Consumption and Standard tiers, including ISE deployments.

How to check

Review the Azure Service Health dashboard and Logic Apps release notes for the security fix. Confirm your Logic Apps runtime version in the Azure portal under your app's properties.

Action

Verify Microsoft has applied the service-side fix. For ISE deployments, manually trigger any available platform updates.

Urgency

Patch immediately

Why it matters

A low-privilege attacker can escalate to higher roles, potentially gaining broad control over connected Azure resources and data flows.

Source

Microsoft Security Advisory

An unauthenticated attacker can trigger a heap-based buffer overflow in the Windows DNS service and execute code remotely. No credentials needed, no user interaction. CVSS 9.8. If your DNS servers face the network (and they do), this is a top-priority patch.

Included because

CVSS 9.8; unauthenticated; network-facing by design; remote code execution

Affected estate

Any Windows Server running the DNS Server role.

How to check

Run 'Get-WindowsFeature DNS' in PowerShell. If the DNS role is installed, you're exposed. Cross-reference installed KBs with the Microsoft advisory.

Action

Deploy the cumulative security update for your Windows Server version immediately.

Urgency

Patch immediately

Why it matters

DNS servers are always network-reachable, and this requires zero authentication. An attacker can get code execution on your DNS infrastructure with a crafted request.

Source

Microsoft Security Advisory

An unauthenticated attacker can exploit a stack-based buffer overflow in the Windows Netlogon service to run code remotely. CVSS 9.8 with no auth required. If you remember the Zerologon era, you know how critical Netlogon bugs are: domain controllers are the primary target here.

Included because

CVSS 9.8; unauthenticated; network-exploitable; domain controller exposure; remote code execution

Affected estate

All Windows Server systems running the Netlogon service, especially Active Directory domain controllers.

How to check

Domain controllers always run Netlogon. On member servers, check 'Get-Service Netlogon'. Confirm patch status with 'Get-HotFix' or your patch management tool.

Action

Deploy the cumulative security update to all domain controllers immediately, then patch remaining Windows servers.

Urgency

Patch immediately

Why it matters

Netlogon is exposed on every domain controller. Unauthenticated remote code execution here means an attacker can compromise your entire AD forest.

Source

Microsoft Security Advisory

A use-after-free bug in Windows Hyper-V lets an unauthenticated local attacker escalate privileges. CVSS 9.3 is unusually high for a local bug, which likely means a guest-to-host escape. If you run Hyper-V, a compromised VM could break out and own the host.

Included because

CVSS 9.3; likely guest-to-host escape; privilege escalation; common virtualization platform

Affected estate

Windows Server systems with the Hyper-V role enabled, Windows 10/11 systems with Hyper-V enabled, Azure Stack HCI nodes.

How to check

Run 'Get-WindowsFeature Hyper-V' on servers or 'Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V' on clients. If enabled, you're in scope.

Action

Apply the cumulative security update to all Hyper-V hosts and reboot during your next maintenance window (ideally tonight).

Urgency

Patch immediately

Why it matters

A guest-to-host escape lets an attacker break out of a VM and take over the physical host, compromising every other VM on that box.

Source

Microsoft Security Advisory

Azure Entra ID (formerly Azure AD) leaks sensitive information to unauthenticated attackers, enabling spoofing over the network. CVSS 9.3. The practical risk: an attacker could impersonate identities or forge tokens in your tenant. This is an identity-plane bug, which makes it dangerous even if your apps are otherwise well-configured.

Included because

CVSS 9.3; unauthenticated; network-exploitable; identity plane; affects nearly all Azure/M365 tenants

Affected estate

All Azure tenants using Entra ID for authentication and identity management.

How to check

Review the Microsoft 365 Service Health dashboard and Entra ID release notes for the advisory. Check Entra ID sign-in and audit logs for anomalous activity.

Action

Apply any tenant-side configuration changes Microsoft specifies. If the fix is service-managed, confirm deployment via Azure Service Health.

Urgency

Patch immediately

Why it matters

Identity spoofing at the Entra ID level can let an attacker impersonate users or services across your entire Microsoft ecosystem.

Source

Microsoft Security Advisory

An authenticated attacker can exploit excessive privileges in Dynamics 365 on-premises to execute code over the network. CVSS 9.1. This is the second critical Dynamics 365 on-prem code execution bug this cycle. A user who should only have read access could run code on your server.

Included because

CVSS 9.1; network-exploitable; code execution; common enterprise product

Affected estate

Microsoft Dynamics 365 on-premises deployments, all versions until patched.

How to check

Check the Dynamics 365 version in Settings > About, or query the MSCRM_CONFIG database for the current build number. Verify the fix covers both CVE-2026-42898 and this CVE.

Action

Apply the latest Dynamics 365 on-premises security update from Microsoft.

Urgency

Patch immediately

Why it matters

Low-privilege authenticated users can execute code on the server, making any compromised Dynamics account a path to full system compromise.

Source

Microsoft Security Advisory

The Microsoft SSO Plugin for Jira and Confluence has a broken authentication implementation that lets an unauthenticated attacker escalate privileges remotely. CVSS 9.1. If you use this plugin to federate Atlassian logins through Microsoft, an attacker could bypass auth entirely and gain elevated access to your Jira or Confluence instance.

Included because

CVSS 9.1; unauthenticated; authentication bypass; internet-facing service common in enterprises

Affected estate

Jira and Confluence instances (Server or Data Center) with the Microsoft SSO Plugin installed.

How to check

In Jira or Confluence, go to Manage Apps and look for the Microsoft SSO Plugin. Note the installed version and compare it against the patched version in the advisory.

Action

Update the Microsoft SSO Plugin to the fixed version immediately.

Urgency

Patch immediately

Why it matters

An unauthenticated attacker can bypass SSO authentication and gain privileged access to your Jira and Confluence data, which often contains credentials, architecture docs, and sensitive project info.

Source

Microsoft Security Advisory

A broken authentication mechanism in the Azure SDK lets an unauthenticated attacker bypass security features over the network. CVSS 9.1. If your applications use the Azure SDK for auth, an attacker could potentially skip authentication checks entirely. The blast radius depends on what your app protects, but the SDK is everywhere.

Included because

CVSS 9.1; unauthenticated; authentication bypass; widely used SDK

Affected estate

Any application or service using Azure SDK libraries for authentication, across all languages and platforms.

How to check

Search your repos and deployed packages for Azure SDK auth libraries (e.g., azure-identity, @azure/identity, Azure.Identity). Compare installed versions to the advisory's fixed versions.

Action

Update Azure SDK auth packages to patched versions, rebuild, and redeploy affected applications.

Urgency

Patch within 24 hours

Why it matters

A broken auth check in a foundational SDK means every app relying on it for access control could be bypassed by an unauthenticated attacker.

Source

Microsoft Security Advisory

A session fixation bug in Visual Studio Code lets an unauthenticated attacker escalate privileges over the network. CVSS 8.8. Practically, an attacker could fix a session token and trick a developer into using it, then hijack their VS Code session. This likely requires some social engineering or network positioning to pull off.

Included because

CVSS 8.8; network-exploitable; privilege escalation; widely used developer tool

Affected estate

All Visual Studio Code installations on Windows, Linux, and macOS.

How to check

In VS Code, go to Help > About and check the version number. Compare against the patched version listed in the advisory.

Action

Update VS Code to the latest release via the built-in updater or your software deployment tool.

Urgency

Patch this week

Why it matters

Developer workstations often have broad access to source code repos, cloud credentials, and CI/CD pipelines. A hijacked VS Code session could give an attacker that access.

Source

Microsoft Security Advisory