May 2026 Patch Tuesday: 137 Vulnerabilities, No Zero-Days

Microsoft released its May 2026 Patch Tuesday security updates, resolving a total of 137 vulnerabilities across Windows and a broad range of Microsoft products and components. Unlike the previous several months, this release contains no zero-day vulnerabilities – neither actively exploited nor publicly disclosed prior to today’s patch.

Of the 137 vulnerabilities patched, 30 are rated Critical severity. Elevation of Privilege vulnerabilities once again dominated the release. The full breakdown by vulnerability type is as follows:

• 61 Elevation of Privilege vulnerabilities
• 31 Remote Code Execution vulnerabilities
• 15 Information Disclosure vulnerabilities
• 14 Spoofing vulnerabilities
• 8 Denial of Service vulnerabilities
• 6 Security Feature Bypass vulnerabilities
• 2 Tampering vulnerabilities

No Zero-Days in May 2026 Patch Tuesday

The May 2026 Patch Tuesday release is notable for what it does not contain: there are no vulnerabilities marked as actively exploited in the wild, and none that were publicly disclosed ahead of today’s patch. The last time Microsoft shipped a zero-day-free Patch Tuesday was June 2024. Security teams can take a relative breath on the emergency triage front, but the breadth of the patch set still demands prompt attention, particularly across networking, Office, and cloud-adjacent services.

Critical Vulnerabilities in May 2026 Patch Tuesday

Microsoft addressed 30 Critical-severity vulnerabilities as part of this month’s updates. Highlights include:

• CVE-2026-42826 (CVSS 10.0) – Azure DevOps Information Disclosure Vulnerability (no customer action required)
• CVE-2026-33109 (CVSS 9.9) – Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability (no customer action required)
• CVE-2026-42898 (CVSS 9.9) – Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability
• CVE-2026-41096 (CVSS 9.8) – Windows DNS Client Remote Code Execution Vulnerability
• CVE-2026-41089 (CVSS 9.8) – Windows Netlogon Remote Code Execution Vulnerability
• CVE-2026-35428 (CVSS 9.6) – Azure Cloud Shell Spoofing Vulnerability (no customer action required)
• CVE-2026-33823 (CVSS 9.6) – Microsoft Team Events Portal Information Disclosure Vulnerability (no customer action required)
• CVE-2026-40379 (CVSS 9.3) – Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability (no customer action required)
• CVE-2026-40402 (CVSS 9.3) – Windows Hyper-V Elevation of Privilege Vulnerability
• CVE-2026-41103 (CVSS 9.1) – Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability
• CVE-2026-33844 (CVSS 9.0) – Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability (no customer action required)

CVE-2026-42826 – Azure DevOps Information Disclosure (CVSS 10.0)

The month’s highest CVSS score belongs to CVE-2026-42826, a perfect 10.0 rated Information Disclosure vulnerability in Azure DevOps. Microsoft has marked this as requiring no customer action, as it is handled on the service side; but a 10.0 score stated on the Microsoft advisory is difficult to overlook. As Redmond noted, the score alone should be a strong signal for organizations storing or handling sensitive data in Azure DevOps to verify their exposure and monitor for any related guidance from Microsoft.

CVE-2026-33109 & CVE-2026-42898 – Azure Cassandra and Dynamics 365 RCEs (CVSS 9.9)

Two vulnerabilities share a CVSS score of 9.9, making them the highest-rated customer-actionable patches of the month alongside the perfect 10.0 Azure DevOps flaw above.

CVE-2026-33109 is a Critical Remote Code Execution vulnerability in Azure Managed Instance for Apache Cassandra. Microsoft has marked it as requiring no customer action, as the fix is applied on the service side, but given the 9.9 score and the sensitivity of data typically stored in managed database services, organizations should verify their deployments and monitor for any further guidance. A companion CVE, CVE-2026-33844 (CVSS 9.0), addresses a related flaw in the same service.

CVE-2026-42898 is a code injection flaw in Dynamics 365 On-Premises that does require customer action. An attacker with only low privileges can exploit it over the network to execute code in a way that breaks out of the vulnerable component’s security scope. A successful compromise could expose customer records, financial data, connected workflows, and business-critical systems. Organizations running on-premises Dynamics 365 should treat this as an urgent patch priority.

The remaining Critical vulnerabilities span a wide range of products and components, including unauthenticated Windows networking RCEs, privilege escalation flaws in Hyper-V and the Windows kernel, Word and Office document-based RCEs triggerable via the Outlook Preview Pane, and a cluster of Azure service-side fixes such as Azure Machine Learning, Azure AI Foundry, and M365 Copilot information disclosure vulnerabilities – most of which require no customer action.

High-Risk Vulnerabilities to Watch in May 2026 Patch Tuesday

Beyond the Critical-rated vulnerabilities, Microsoft assessed the following as Exploitation More Likely, indicating an elevated probability of near-term weaponization:

• CVE-2026-33835 (CVSS 7.8) – Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
• CVE-2026-33837 (CVSS 7.8) – Windows TCP/IP Local Elevation of Privilege Vulnerability
• CVE-2026-33840 (CVSS 7.8) – Win32k Elevation of Privilege Vulnerability
• CVE-2026-33841 (CVSS 7.8) – Windows Kernel Elevation of Privilege Vulnerability
• CVE-2026-35416 (CVSS 7.0) – Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
• CVE-2026-35417 (CVSS 7.8) – Windows Win32k Elevation of Privilege Vulnerability
• CVE-2026-35435 (CVSS 8.6) – Azure AI Foundry Elevation of Privilege Vulnerability
• CVE-2026-40361 (CVSS 8.4) – Microsoft Word Remote Code Execution Vulnerability
• CVE-2026-40364 (CVSS 8.4) – Microsoft Word Remote Code Execution Vulnerability
• CVE-2026-40369 (CVSS 7.8) – Windows Kernel Elevation of Privilege Vulnerability
• CVE-2026-40397 (CVSS 7.8) – Windows Common Log File System Driver Elevation of Privilege Vulnerability
• CVE-2026-40398 (CVSS 7.8) – Windows Remote Desktop Services Elevation of Privilege Vulnerability
• CVE-2026-41103 (CVSS 9.1) – Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability

The majority of these are local Elevation of Privilege vulnerabilities that allow an authenticated attacker to obtain SYSTEM-level access. Components such as Win32k, the Windows Kernel, and the Cloud Files Mini Filter Driver frequently appear in multi-stage intrusion chains as post-initial-access privilege escalation steps. The CVE-2026-41103 SSO Plugin flaw stands apart: with a CVSS of 9.1 and a network-accessible attack vector, an unauthenticated attacker could exploit this during the login process by sending a crafted response message, making it more immediately dangerous than the local EoP entries on this list.

The TCP/IP and Windows Netlogon RCEs, combined with the wormable characteristics noted by researchers, mean that network segmentation and prompt patching are the primary mitigations available. Organizations with internet-exposed Windows services or large domain controller footprints should treat the full networking subsystem cluster (TCP/IP, DNS Client, Netlogon) as a single high-priority patching block.

Continuous Exposure Management for Patch Tuesday and Beyond

Patch Tuesday creates a predictable surge in remediation workload, but the risk does not end when updates are deployed. Incomplete patch rollouts, newly exposed assets, and rapidly evolving exploit activity mean that security teams need ongoing visibility – not just a monthly checklist.

SOCRadar’s Attack Surface Management module continuously monitors your external-facing infrastructure for unpatched or newly exposed assets, helping ensure that high-severity fixes like this month’s DNS Client and Netlogon RCEs are verified at the perimeter, not just assumed. The Cyber Threat Intelligence module tracks exploit development and threat actor discussions around newly disclosed vulnerabilities, giving analysts early warning when a patch-or-die situation is developing.

From prioritization through validation, SOCRadar helps security teams close the loop on Patch Tuesday every month.

Apply Microsoft’s Security Updates for May 2026

Microsoft’s May 2026 Patch Tuesday security updates address vulnerabilities across a broad set of widely deployed products and components, several of which are directly exposed to network-based or document-based attack paths. Systems affected by these flaws should be patched without delay, with priority given to:

• Domain Controllers, which are exposed to the wormable Netlogon RCE (CVE-2026-41089, CVSS 9.8); half-patched environments represent an indefensible exposure
• Windows DNS Client deployments across the enterprise, given the unauthenticated, network-accessible heap overflow in CVE-2026-41096 (CVSS 9.8)
• Microsoft Dynamics 365 On-Premises servers, due to the scope-change RCE in CVE-2026-42898 (CVSS 9.9)
• Hyper-V hosts running multi-tenant or untrusted workloads, affected by the Critical EoP CVE-2026-40402 (CVSS 9.3)
• Office and Word environments where document-based exploitation via the Preview Pane is a risk, particularly CVE-2026-40361 and CVE-2026-40364
• Atlassian-integrated environments using the Microsoft SSO Plugin for Jira & Confluence, affected by the near-Critical CVE-2026-41103 (CVSS 9.1)
• Endpoints running Win32k, Windows Kernel, and Cloud Files Mini Filter Driver components flagged as Exploitation More Likely

In addition to the 137 Microsoft CVEs covered here, this month’s release is accompanied by a large volume of third-party updates, including fixes for Chromium vulnerabilities affecting Microsoft Edge. Organizations running Edge should ensure browser updates are current as well.

See Microsoft’s May 2026 release notes for the full details of patched CVEs.