Microsoft’s May 2026 Patch Tuesday includes security updates for 120 vulnerabilities, with no zero-days disclosed this month. Despite the absence of actively exploited or publicly disclosed zero-days, the release is still significant due to the volume of high-severity flaws and the number of critical remote code execution vulnerabilities addressed.
This month’s update includes 17 critical vulnerabilities, 14 of which are tied to remote code execution, alongside two elevation of privilege flaws and one information disclosure issue.
Breakdown of Vulnerabilities
- 61 Elevation of Privilege vulnerabilities
- 31 Remote Code Execution vulnerabilities
- 14 Information Disclosure vulnerabilities
- 13 Spoofing vulnerabilities
- 8 Denial of Service vulnerabilities
- 6 Security Feature Bypass vulnerabilities
These totals do not include vulnerabilities in Mariner, Azure, Copilot, Microsoft Teams, and Microsoft Partner Center that were patched earlier in the month. Microsoft Edge and Chromium updates are also excluded, with Google separately addressing 131 Edge and Chromium-related flaws.
Noteworthy Vulnerabilities
Although Microsoft did not disclose any zero-days this month, several vulnerabilities stand out due to their exploitation potential and affected attack surface.
Microsoft patched numerous remote code execution vulnerabilities in Microsoft Office, Word, and Excel. Many of these flaws can be triggered through malicious documents and, in several cases, through the preview pane alone. Organizations that routinely process external attachments should prioritize Office updates immediately to reduce phishing-related risk.
CVE-2026-35421 | Windows GDI Remote Code Execution Vulnerability
This vulnerability can be exploited by opening a malicious Enhanced Metafile (EMF) image in Microsoft Paint. Successful exploitation allows attackers to execute arbitrary code on the affected system.
CVE-2026-40365 | Microsoft SharePoint Server Remote Code Execution Vulnerability
This flaw allows an authenticated attacker to execute code remotely over the network against a vulnerable SharePoint deployment. Given SharePoint’s role in enterprise collaboration environments, this issue should be treated as a priority for organizations exposing SharePoint services internally or externally.
CVE-2026-41096 | Windows DNS Client Remote Code Execution Vulnerability
An attacker-controlled DNS server can send specially crafted responses that corrupt memory in the Windows DNS Client service, potentially leading to remote code execution. This vulnerability is notable because exploitation may occur simply through interaction with a malicious DNS response, increasing exposure in environments with untrusted or externally controlled DNS infrastructure.
Adobe and Other Vendor Updates
Several major vendors released security updates alongside Microsoft’s May patches:
- Adobe issued updates for After Effects, Premiere Pro, Media Encoder, Commerce, Illustrator, and additional products.
- AMD disclosed fixes for an elevation of privilege issue affecting the op/µop cache in Zen 2-based processors.
- Apple released updates across macOS, iOS, iPadOS, watchOS, visionOS, and tvOS.
- Cisco patched multiple products, including a denial of service vulnerability requiring manual reboot of affected systems for recovery.
- Fortinet addressed two critical vulnerabilities affecting FortiSandbox and FortiAuthenticator.
- Google’s May Android security bulletin fixed 10 vulnerabilities.
- Ivanti released updates for a high-severity Endpoint Manager Mobile remote code execution vulnerability that had been exploited as a zero-day.
- Mozilla patched five Firefox vulnerabilities.
- Palo Alto Networks warned customers about a critical PAN-OS User-ID Authentication Portal flaw actively exploited in attacks, though patches were not yet available at the time of disclosure.
- SAP released updates addressing one high-severity and two critical vulnerabilities.
- vm2 patched a critical flaw in the widely used Node.js sandboxing library
Recommendations for Users and Administrators
Organizations should prioritize updates for Microsoft Office, SharePoint Server, and systems processing externally sourced image or document content. The concentration of Office preview pane vulnerabilities continues to make phishing and attachment-based delivery mechanisms a major concern.
Security teams should also review DNS infrastructure exposure and monitor vendor advisories from Palo Alto Networks, Ivanti, Fortinet, and Cisco, particularly where active exploitation or critical remote access weaknesses are involved. Even without Microsoft zero-days this month, May’s release contains multiple vulnerabilities capable of supporting enterprise compromise chains if left unpatched.
Potentially exposed collaboration systems, DNS services, and endpoint-facing applications should receive immediate attention as part of patch deployment planning.
Full technical details and patch links are available in Microsoft’s Security Update Guide.
How Can Netizen Help?
Founded in 2013, Netizen is an award-winning technology firm that develops and leverages cutting-edge solutions to create a more secure, integrated, and automated digital environment for government, defense, and commercial clients worldwide. Our innovative solutions transform complex cybersecurity and technology challenges into strategic advantages by delivering mission-critical capabilities that safeguard and optimize clients’ digital infrastructure. One example of this is our popular “CISO-as-a-Service” offering that enables organizations of any size to access executive level cybersecurity expertise at a fraction of the cost of hiring internally.
Netizen also operates a state-of-the-art 24x7x365 Security Operations Center (SOC) that delivers comprehensive cybersecurity monitoring solutions for defense, government, and commercial clients. Our service portfolio includes cybersecurity assessments and advisory, hosted SIEM and EDR/XDR solutions, software assurance, penetration testing, cybersecurity engineering, and compliance audit support. We specialize in serving organizations that operate within some of the world’s most highly sensitive and tightly regulated environments where unwavering security, strict compliance, technical excellence, and operational maturity are non-negotiable requirements. Our proven track record in these domains positions us as the premier trusted partner for organizations where technology reliability and security cannot be compromised.
Netizen holds ISO 27001, ISO 9001, ISO 20000-1, and CMMI Level III SVC registrations demonstrating the maturity of our operations. We are a proud Service-Disabled Veteran-Owned Small Business (SDVOSB) certified by U.S. Small Business Administration (SBA) that has been named multiple times to the Inc. 5000 and Vet 100 lists of the most successful and fastest-growing private companies in the nation. Netizen has also been named a national “Best Workplace” by Inc. Magazine, a multiple awardee of the U.S. Department of Labor HIRE Vets Platinum Medallion for veteran hiring and retention, the Lehigh Valley Business of the Year and Veteran-Owned Business of the Year, and the recipient of dozens of other awards and accolades for innovation, community support, working environment, and growth.
Looking for expert guidance to secure, automate, and streamline your IT infrastructure and operations? Start the conversation today.
