patch-tuesday - TrustStrike Labs

vulnerability

CVE-2026-40361 CVE-2026-40364 CVE-2026-41096 CVE-2026-41089 CVE-2026-41103 CVE-2026-40402 CVE-2026-35421

2026-05-13

Microsoft's May 2026 Patch Tuesday fixes 120 flaws and no zero-days for the first time since June 2024 - but a Word preview-pane bug and DNS Client RCE stand out as the priorities

Microsoft fixed 120 vulnerabilities on Tuesday - 17 Critical, no zero-days for the first time since June 2024. Two Word RCEs (CVE-2026-40361 and CVE-2026-40364) trigger just by viewing a malicious document in Outlook's Preview Pane and are rated 'Exploitation More Likely.' Windows DNS Client (CVE-2026-41096) lets an attacker-controlled DNS server execute code on any Windows machine resolving a hostile name - echoing SigRed. Other priorities: Netlogon RCE (CVE-2026-41089) and Microsoft SSO Plugin for Jira and Confluence (CVE-2026-41103, CVSS 9.1).

microsoft patch-tuesday windows office word dns-client netlogon preview-pane hyper-v no-zero-days

Check: Check Windows patch status for the May 2026 cumulative update. Confirm whether Outlook's Word Preview Pane is enabled - that's the exposure path for CVE-2026-40361 and 40364.
Affected: Unpatched Windows clients and servers. Priority targets: Outlook/Word (Preview Pane RCEs CVE-2026-40361/40364), domain controllers (Netlogon CVE-2026-41089), DNS-facing servers (CVE-2026-41096).
Fix: Deploy May 2026 cumulative updates fleet-wide. Prioritize DCs (Netlogon), DNS servers, and Outlook hosts. Disable Word Preview Pane as a compensating control until patched.

vulnerability

CVE-2026-32202

2026-04-28

Microsoft confirms a Windows Shell flaw that lets attackers spoof anything in File Explorer is being exploited - patch now (CVE-2026-32202)

Microsoft confirmed yesterday that a Windows Shell spoofing flaw, CVE-2026-32202, is being exploited in the wild. The bug lets an attacker craft files that appear in File Explorer with fake names, icons, and paths - so a malicious .exe can show up looking like a benign PDF, leading users to double-click and run it. Microsoft patched the bug in the April 14 Patch Tuesday but only confirmed in-the-wild exploitation on April 28, raising urgency for any environment that hasn't deployed April patches. The flaw is particularly dangerous on shared file servers, USB drops, and email attachments - any path where users trust File Explorer to tell them what's what.

windows-shell spoofing file-explorer actively-exploited patch-tuesday social-engineering

Check: Confirm every Windows endpoint has the April 14 Patch Tuesday update installed, especially any host that opens shared drives, USB drives, or email attachments.
Affected: Windows endpoints without the April 14, 2026 patch installed. CVE-2026-32202 affects all currently supported Windows versions including Windows 10, 11, and Server. Acute risk on hosts that handle external files: receptionists, finance staff opening invoices, IT staff handling user-submitted USB drives, anyone receiving email attachments from outside the organization.
Fix: Deploy the April 14 Patch Tuesday update via your usual patching process, prioritizing user endpoints over servers. Verify deployment with MDM rather than trusting WSUS compliance numbers. Enable 'show file extensions' as a Group Policy default. Re-train staff on file-trust basics this month. Watch for unusual process spawns from explorer.exe.

vulnerability

2026-04-20

Microsoft ships emergency out-of-band updates to fix Windows Server reboot loops and install failures caused by April Patch Tuesday

Microsoft has released out-of-band emergency updates to fix two Windows Server issues introduced by the April 2026 Patch Tuesday updates. First issue: some admins experienced failures installing the KB5082063 security update on Windows Server 2025. Second issue: Patch Tuesday cumulative updates caused Windows servers running domain controller roles to enter restart loops due to crashes of the Local Security Authority Subsystem Service (LSASS). The restart loop can also hit newly-set-up domain controllers or existing ones if the server processes authentication requests very early during startup. The Windows Server 2025 OOB update (KB5091157) addresses both issues. OOB updates for other supported Windows Server versions address only the domain controller restart issue. This is the third consecutive year where April Windows Server patches have caused authentication-related breakage, following similar incidents in 2024 and 2025.

microsoft windows-server patch-tuesday emergency-patch domain-controller lsass

Check: If you run Windows Server domain controllers and installed April Patch Tuesday updates, apply the OOB fix before your DCs enter the restart loop.
Affected: Windows Server domain controllers that installed the April 2026 Patch Tuesday updates, particularly in Privileged Access Management (PAM) environments and non-Global Catalog DC configurations. Windows Server 2025 systems that had failures installing KB5082063.
Fix: Apply the out-of-band update for your Windows Server version. For Windows Server 2025, install KB5091157, which addresses both the install failure and the DC restart loop. For other supported Server versions, install the matching OOB update from Microsoft's advisory (addresses the DC restart loop only). If you have servers already in a restart loop, boot into safe mode or recovery mode to apply the OOB update before normal startup triggers another LSASS crash. Also check for the separate BitLocker recovery key prompt issue on Windows Server 2025 after KB5082063 - keep BitLocker recovery keys accessible before patching.