Overview
- Microsoft’s monthly update, released Tuesday, covers roughly 137 CVEs across Windows, Office and cloud services, and the company says none are known to be exploited in the wild.
- CVE-2026-41096 in the Windows DNS client allows remote code execution from a crafted DNS response without user action, which is risky because every Windows machine makes DNS lookups and attackers can abuse rogue or man-in-the-middle resolvers.
- CVE-2026-41089 in Windows Netlogon enables pre-auth remote code execution on domain controllers via a crafted network request, prompting experts to urge same-window patching and to limit Netlogon traffic to only required network segments.
- Several Microsoft Word bugs, including CVE-2026-40361 and CVE-2026-40364, can trigger code execution just by previewing a malicious document, which removes the need for a user to open the file and raises the chance of successful attacks.
- CVE-2026-42898 in on‑premises Dynamics 365 carries a 9.9 CVSS score for code injection and could let a low-privilege user run code across connected business systems, while Microsoft says 16 CVEs this month were found by its new MDASH AI, and admins are being pressed to finish Secure Boot certificate rotations before the June 26 deadline.