Microsoft Patch Tuesday May 2026: Vulnerabilities Fixed

Microsoft’s May 2026 Patch Tuesday arrives with a significant enterprise focus, addressing 120 vulnerabilities across its product suite. These updates span Windows, Office, Azure, developer tools, and Microsoft 365 applications, prominently featuring 29 Critical-rated remote code execution (RCE) flaws.

Unlike several recent cycles, Microsoft reports no zero‑days exploited in the wild or publicly disclosed ahead of the release, but the breadth of attack surface from DNS and Netlogon to Office and Wi‑Fi drivers means defenders cannot afford to treat this month as low risk.

Multiple Remote Code Execution Vulnerabilities

While there are no exploited zero‑day bugs this month, the most serious issues are clustered around network‑exposed and document‑driven RCE vulnerabilities that could enable full compromise if left unpatched.

High‑value targets include Microsoft Dynamics 365 on‑premises (CVE‑2026‑42898, CVE‑2026‑42833), multiple Microsoft Office and Word RCEs (for example CVE‑2026‑42831, CVE‑2026‑40363, CVE‑2026‑40358, several Word‑specific CVEs), Windows DNS Client (CVE‑2026‑41096), Netlogon (CVE‑2026‑41089), Windows Graphics/Win32k (CVE‑2026‑40403), Windows GDI (CVE‑2026‑35421), Windows Native Wi‑Fi Miniport (CVE‑2026‑32161), and Microsoft SharePoint Server (CVE‑2026‑40365 and related CVEs).

Many of these live in components routinely exposed to untrusted content network traffic, Office documents, or browser‑like rendering paths, making them prime candidates for phishing and lateral‑movement campaigns.

Windows Core Networking, Kernel, and Virtualization Flaws

On the platform side, multiple vulnerabilities hit Windows networking and kernel‑mode components, raising the stakes for domain‑joined and internet‑facing systems.

Windows DNS Client RCE (CVE‑2026‑41096) and Netlogon RCE (CVE‑2026‑41089) stand out: successful exploitation could allow unauthenticated or low‑privileged attackers to execute code in highly sensitive parts of the Windows authentication and name resolution stack, echoing the impact category of historical bugs like SigRed and Zerologon.

Additional RCE and elevation‑of‑privilege vulnerabilities are scattered across TCP/IP, the Volume Manager Extension driver, kernel‑mode drivers, Win32k, GDI, and the Cloud Files and Telephony subsystems, increasing the potential for chainable exploits.

Windows Hyper‑V (CVE‑2026‑40402, rated Critical) also receives a privilege‑escalation fix, which is particularly important for multi‑tenant and private cloud environments where a guest‑to‑host escape could have an outsized blast radius.

Multiple Secure Boot and security‑feature bypass bugs, including in TCP/IP and Secure Boot itself, underline that attackers continue to probe Microsoft’s defensive controls rather than only its application logic.

Copilot, VS Code, and Azure Flaws

This Patch Tuesday also highlights how deeply AI and cloud‑connected development have been embedded into the enterprise attack surface.

Microsoft patches spoofing and security‑feature bypass issues in M365 Copilot for Desktop and Android, GitHub Copilot with Visual Studio, and Azure Machine Learning notebooks, raising concerns about prompt‑driven social engineering, data exfiltration, or malicious content injection via trusted AI interfaces.

While these flaws are rated Important rather than Critical, compromise of AI assistants that sit close to source code, documents, and chat histories could magnify the impact of otherwise “medium‑risk” bugs.

Developer tooling is another recurring theme. Visual Studio Code receives a cluster of fixes covering elevation of privilege, information disclosure, RCE, and security feature bypass (CVE‑2026‑41613 through CVE‑2026‑41610 and CVE‑2026‑41109), while .NET and ASP.NET Core patches address elevation of privilege, tampering, and denial‑of‑service conditions.

Azure Monitor Agent, Logic Apps, Connected Machine Agent, Windows Admin Center (including Azure Portal integration), and Dynamics 365 Business Central all feature in this month’s bulletin, confirming that Azure‑centric and hybrid‑cloud operators need to treat May’s updates as high priority.

Given the scale of changes, security teams should start by prioritizing internet‑facing and high‑value services: patch Microsoft Dynamics 365 on‑prem, SharePoint, and Office/Word RCEs, followed by Windows DNS Client, Netlogon, Windows GDI/Win32k graphics components, and the Native Wi‑Fi Miniport driver.

Organizations with significant virtualized workloads should schedule maintenance windows for Hyper‑V updates, and those relying on Copilot, Teams, and Azure‑based automation should not overlook AI‑ and workflow‑related fixes, even when severity is marked as Important.

Vulnerability Details

Other Patch Tuesday Updates

• Fortinet Patches Five Vulnerabilities Across FortiAP, FortiOS, and Enterprise Products
• Ivanti Patches Multiple Vulnerabilities in Secure Access, Xtraction, vTM and Endpoint Manager
• Zoom Rooms and Workplace Vulnerabilities Allow Attackers to Escalate Privileges
• SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.