Microsoft fixed CVE-2026-41096 in the Patch Tuesday released on 12 May 2026, a remote code execution vulnerability in the Windows DNS Client that the company rated critical. The bug sits in the resolver running on every Windows machine, not in the DNS server.
What actually goes wrong
The DNS Client is the component that turns domain names into IP addresses. Every time you open a website, connect to a network resource, or your machine resolves an internal name, that component sends a query and processes whatever response comes back.
The problem lives in that processing step. According to Microsoft’s description, an attacker-controlled DNS server can return a specially crafted response that the client parses incorrectly, corrupting memory in the process. That corruption is what makes remote code execution possible on the affected system.
The victim does not need to download or open anything. It is enough for their machine to make a DNS query that ends up being answered, directly or indirectly, by a server the attacker controls.
Who is affected and why it matters
Any Windows machine that resolves names through an untrusted DNS server is exposed. The most realistic scenario involves networks you do not fully control: public Wi-Fi, a compromised router, or any setting where someone can sit in the middle of the conversation and answer queries before the legitimate server does.
The severity comes from the vector itself. This is code execution with no user interaction, against a component that is active in practically every Windows install. No active exploitation was reported at patch time, but an RCE flaw in something this central is valuable to anyone who can chain it with other techniques.
How to protect yourself
The fix is straightforward: apply the May 2026 Patch Tuesday updates. Microsoft shipped the correction in that batch, which closed around 120 flaws (17 of them critical) and was the first Patch Tuesday without known zero-days since June 2024.
If you manage fleets, prioritise machines that connect to networks you do not control: laptops, mobile staff devices, and any system using external DNS resolvers. As a complementary measure, using trusted resolvers and, where possible, encrypted DNS (DoH/DoT) reduces the surface an attacker could use to inject responses, though it does not replace the patch.
For the full context of the release and the rest of the fixes that month, see May 2026 Patch Tuesday: 120 flaws fixed and no zero-days.