Microsoft released patches for 138 CVEs on May 12, 2026. The most critical is CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon that allows unauthenticated remote code execution on domain controllers and has been classified as wormable. A second high-severity issue, CVE-2026-41096, affects the Windows DNS Client and can be triggered by a malicious DNS response without authentication. Wormable vulnerabilities in Netlogon represent a severe risk to Active Directory environments — a single unpatched domain controller can serve as a beachhead for lateral movement across an entire Windows estate. Organizations should prioritize deploying KB updates for domain controllers above other Patch Tuesday items and verify that DNS client patches are applied fleet-wide.