Back to blog
Patch TuesdayCVE-2026-40402CVE-2026-40379CVE-2026-41615Hyper-VEntra IDMicrosoft AuthenticatorCVE

Microsoft Patch Tuesday May 2026 — Wave 2: Hyper-V LPE, Entra ID Spoofing, Authenticator

May 2026 Patch Tuesday follow-up: 3 new CRITICAL CVEs — Hyper-V use-after-free LPE (9.3), Entra ID spoofing (9.3), Microsoft Authenticator info disclosure (9.6). Patch now.

May 15, 20265 min read

The May 2026 Microsoft Patch Tuesday didn't stop at the 4 CRITICAL CVEs we analyzed last week. Three more CVEs warrant dedicated attention — all hitting central pieces of the modern Microsoft ecosystem:

  • CVE-2026-40402 — Use-after-free in Windows Hyper-V → local privilege escalation (CVSS 9.3)
  • CVE-2026-40379 — Spoofing in Azure Entra ID (CVSS 9.3)
  • CVE-2026-41615 — Information disclosure in Microsoft Authenticator (CVSS 9.6)

If you operate Hyper-V infrastructure, an Azure AD/Entra ID tenant, or your users rely on Microsoft Authenticator for MFA, this article frames your patch window.

CVE-2026-40402 — Hyper-V use-after-free → LPE (CVSS 9.3)

Component and vector

Windows Hyper-V is Windows Server's native hypervisor, used by millions of organizations to run VMs in production (Azure Stack HCI included). This CVE hits the host-side hypervisor component — not the guest.

Vector: AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:Hlocal access required (Attack Vector "Local"). But the S:C (Scope Changed) flag signals that exploitation crosses isolation boundaries: an attacker who can run code inside a guest VM can potentially compromise the host.

The bug

A use-after-free in Hyper-V's memory management. Classic pattern:

  1. A host-side kernel object is freed
  2. A dangling pointer remains
  3. A subsequent operation uses the dangling pointer
  4. If the attacker controls reallocation of the memory region, they can hijack the kernel flow

Impact

  • Potential VM escape: an attacker rooted in a guest VM can compromise the host (extreme and hard-to-exploit case, but theoretically possible with S:C)
  • Local privilege escalation on the host
  • Hash/credential theft of co-located VMs
  • Hypervisor-level persistence (very hard to detect)

Patch priority

CRITICAL for Hyper-V hosts running untrusted VMs (multi-tenant cloud, testing environments with partner access). High for single-tenant hosts. The patch should land in the next maintenance window, with VM live migration first.

CVE-2026-40379 — Entra ID spoofing (CVSS 9.3)

Component and vector

Azure Entra ID (formerly Azure Active Directory) is Microsoft's cloud IDP — used by millions of tenants for SSO and identity management. This CVE lets an unauthenticated attacker spoof an identity over the network.

Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N — network exploit, user interaction required (typically clicking a crafted link or visiting a malicious page).

Likely mechanism

Without published technical details from Microsoft (usual policy for managed services), the vector hints at an identity-confusion-assisted phishing scenario:

  1. The attacker crafts a URL resembling a legitimate Entra ID OAuth/SAML flow
  2. The victim clicks → an auth flow starts
  3. A flaw on the Entra ID side lets the attacker capture the token or substitute themselves in the application context

Impact

  • Session theft: the attacker reaches the victim's SSO apps (Microsoft 365, third-party SaaS via Entra ID, Azure Portal)
  • MFA bypass in some cases (if the attacker intercepts the post-MFA token)
  • Mass phishing: credible malicious URLs that slip past classic phishing detection

Patch priority

On the tenant side: Microsoft has already deployed the fix server-side (managed service). User action:

  1. Audit Entra ID logs for the past 30 days for unusual sign-ins
  2. User awareness: this CVE is a reminder that even a legitimate OAuth flow can be compromised by a malicious link — education is still critical

CVE-2026-41615 — Microsoft Authenticator info disclosure (CVSS 9.6)

Component and vector

Microsoft Authenticator is Microsoft's official MFA app, deployed on hundreds of millions of smartphones. This CVE allows exposure of sensitive information to an unauthorized attacker.

Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H — network, user interaction (tapping a notification?).

Likely mechanism

Several plausible scenarios from the wording:

  1. Spoofed push notification: an attacker sends a fake Authenticator notification the victim approves out of habit (MFA fatigue, upgraded)
  2. Sensitive info displayed in a notification (codes, identifiers) accessible to another malicious app on the OS
  3. Server-side deserialization in the Authenticator API that leaks data via a malformed URL

The C:H/I:H/A:H with changed scope suggests the CVE can be chained to obtain unsolicited MFA codes or identification info.

Impact

  • Approval push spoofing: the victim approves a sign-in that isn't theirs → the attacker reaches the Microsoft 365 account
  • TOTP code exfiltration generated by the app
  • MFA bypass on Microsoft and third-party accounts using Authenticator as generic TOTP

Patch priority

Update the Microsoft Authenticator app:

  • iOS: App Store → Authenticator → Update
  • Android: Play Store → Authenticator → Update

Push via your MDM (Intune, Jamf, Kandji) as a compliance rule within 7 days. Most MDMs already force auto-update — confirm via your MDM console that it's enabled.

Summary and patching order

CVEComponentPatch sideRecommended window
CVE-2026-40402Hyper-V (host)Windows UpdateNext maintenance window, max 14 days
CVE-2026-40379Entra IDMicrosoft (already deployed)30-day log audit
CVE-2026-41615Authenticator appiOS/Android update7 days via MDM

Windows Hyper-V procedure

# Check update status on a Hyper-V host
Get-WindowsUpdate -Verbose

# List hosted VMs and migrate if Hyper-V cluster
Get-VM
Move-ClusterVirtualMachineRole -Name <vm-name> -Node <other-node>

# Install
Install-WindowsUpdate -Category SecurityUpdates -AcceptAll -AutoReboot

Entra ID audit

In the Entra ID Admin Center:

  1. Identity → Monitoring & health → Sign-in logs
  2. Filter: "Failed sign-ins" + "Risky sign-ins" over the past 30 days
  3. Anomaly hunt: sign-ins from unusual countries, non-allowlisted residential IPs, odd user agents
  4. Consider rotating Application Passwords as a precaution

Verify Authenticator version

  • iOS: Authenticator → Settings → About → version must be ≥ official patch version (check the App Store release notes)
  • Android: same via Authenticator → Settings → About

Why Continuous Monitoring of the Microsoft Ecosystem Matters

Each monthly Patch Tuesday ships 5 to 15 CRITICAL CVEs, spread across Windows Server, SQL Server, Office, Azure, Dynamics, Hyper-V, and Microsoft mobile apps. Maintaining up-to-date visibility on which components are deployed where — and who uses them — is a challenge in itself. CVEs like these overlap: Entra ID + Authenticator + Hyper-V touch three different surfaces in the same organization.

With cveo.tech, inventory your Microsoft components — Windows servers, Azure workloads, Entra ID identities, standardized mobile apps — and receive an automatic email every Patch Tuesday with the CVEs that affect your exact versions and enabled services, turning Microsoft's monthly list into a targeted action plan.

Monitor CVEs with AI

AI-powered search, CVSS scoring, asset monitoring and automatic alerts.

Try AI search →Create free account

Related articles

WordPress May 2026: 4 Critical Plugins with Auth Bypass / RCE (CVSS 9.8)

Burst Analytics, Career Section, InfusedWoo Pro, Form Notify — 4 WordPress plugins with auth bypass / RCE / privilege escalation disclosed in May 2026. Versions and mitigation.

SAP S/4HANA CVE-2026-34260: Authenticated SQL Injection in Enterprise Search ABAP

SAP S/4HANA Enterprise Search ABAP: SQL injection (CVSS 9.6) via user input concatenated without validation. Sensitive data exfiltration risk, audit recommended.

ArchiveBox CVE-2026-42601: RCE via /add/ — No Patch Available (CVSS 9.8)

ArchiveBox ≤ 0.8.6rc0: the /add/ endpoint merges an unvalidated config JSON into plugin environment variables. Unauthenticated RCE, no official fix. Mitigation.