137 Vulnerabilities Fixed in a Heavy Microsoft Patch Tuesday
Microsoft’s latest Patch Tuesday delivers security fixes for 137 vulnerabilities, marking another large-scale update that places significant pressure on IT and security teams. Among these, 30 are rated critical and 14 carry CVSS scores of 9.0 or higher, including one rated a perfect 10. Microsoft has also confirmed that none of the newly patched flaws are currently known to be exploited in the wild, and no zero-day attacks are included in this release. The company highlighted that its AI-driven bug-hunting platform, codenamed MDASH, contributed to identifying 16 of the vulnerabilities addressed this month, reflecting a trend toward larger and more frequent patch bundles. While this represents clear progress in vulnerability discovery, it also translates into more testing, validation, and change-management overhead, especially for organisations running complex Windows environments spanning servers, workstations, and cloud-connected assets.
Critical Netlogon Vulnerability Demands Immediate Domain Controller Patching
The standout issue in this Microsoft Patch Tuesday cycle is CVE-2026-41089, a critical Netlogon vulnerability affecting Windows Server domain controllers. Rated 9.8 on the CVSS scale, this stack-based buffer overflow in Windows Netlogon can allow remote code execution in the context of the Netlogon service, effectively granting an attacker SYSTEM-level privileges on a domain controller. Rapid7 emphasises that the flaw requires no privileges, no user interaction, and is considered low complexity, characteristics that significantly lower the barrier to developing a reliable exploit once technical details are available. While Microsoft currently assesses exploitation as less likely, defenders are urged not to rely on this rating and to prioritise domain controller patching without delay. The issue evokes comparisons with the earlier ZeroLogon vulnerability, reinforcing the message that Netlogon weaknesses can quickly become high-impact entry points for attackers if left unpatched.
DNS Client and Other High-Risk Flaws Expand the Attack Surface
Beyond Netlogon, Microsoft Patch Tuesday also addresses other high-impact vulnerabilities, notably CVE-2026-41096 in the Windows DNS client. This bug is a critical remote code execution flaw, also rated 9.8, caused by a heap-based buffer overflow. An attacker able to influence DNS responses—such as via a rogue server or man-in-the-middle position—could send specially crafted DNS responses to achieve unauthenticated remote code execution, leading to memory corruption and full compromise of affected systems. Because the DNS client runs on virtually every Windows machine and DNS traffic is constant, the attack surface for this vulnerability is extensive. Security researchers warn that attackers seeking broad and efficient access to Windows assets are likely to focus on such flaws. Organisations should treat this as a priority in their patch deployment plans, especially where DNS infrastructure or client traffic could be exposed or intercepted.
KB5083769 Causes Backup Software Compatibility Failures
While the latest wave of security fixes is critical, administrators must also be aware of backup software compatibility issues introduced by the April security update KB5083769. Microsoft confirms that this update added the psmounterex.sys kernel driver to the Windows Vulnerable Driver Blocklist to mitigate a high-severity buffer overflow (CVE-2023-43896). As a side effect, image-mount operations now fail in several popular backup solutions, including Macrium Reflect, Acronis Cyber Protect Cloud, UrBackup Server, and NinjaOne Backup, across Windows 10, Windows 11, and Windows Server installations. When psmounterex.sys is blocked, backup jobs may fail or image management tasks may break, with Event Viewer logging Code Integrity Event ID 3077 indicating the blocked driver. Microsoft advises organisations not to roll back the security patch. Instead, administrators should upgrade to updated backup software builds that replace psmounterex.sys with a non-blocklisted driver as soon as vendors release them.
Balancing Critical Security Updates with Operational Stability
Security and IT teams must carefully coordinate domain controller patching, backup software maintenance, and broader Microsoft Patch Tuesday deployments. For the Netlogon vulnerability, organisations should prioritise domain controller patching and validate successful installation in their domain controller patching workflows, given the potential for full domain compromise. Simultaneously, teams using Macrium, Acronis, UrBackup, or NinjaOne should inventory affected systems, monitor for Event ID 3077 related to psmounterex.sys, and engage vendors for updated drivers or application builds. Change-management plans should include phased rollouts, lab testing for backup software compatibility, and clear rollback strategies that preserve security baselines. Although no zero-day exploits are reported in this cycle, the combination of a critical Netlogon vulnerability, a widely exposed DNS client flaw, and backup software regressions underscores the need for disciplined patch management, coordinated communication between security and operations, and continuous monitoring for unexpected failures or anomalies.