Intel and AMD Patch 70 Vulnerabilities in May 2026 Patch Tuesday
Intel and AMD released May 2026 Patch Tuesday advisories addressing 70 vulnerabilities, including critical flaws in data center graphics drivers and GPU metrics exporters.
Intel and AMD have released over two dozen advisories on May 2026 Patch Tuesday, addressing 70 vulnerabilities across their product portfolios.
Intel published 13 advisories describing 24 security defects, including one critical and eight high-severity flaws. The critical bug, tracked as CVE-2026-20794 (CVSS score of 9.3), is a buffer overflow in the Data Center Graphics Driver for VMware ESXi that could be exploited for privilege escalation and potentially code execution. Intel's update also resolves two high-severity out-of-bounds write and read weaknesses that could lead to denial-of-service (DoS) conditions and data corruption or disclosure.
The chip maker also addressed high-severity vulnerabilities in Vision software, Endpoint Management Assistant (EMA), UEFI firmware for the Slim Bootloader, and QuickAssist Technology (QAT) software drivers for Windows. Successful exploitation could lead to DoS conditions, privilege escalation, and potentially arbitrary code execution. The remaining security defects are medium-severity bugs affecting AI Playground, Display Virtualization for Windows driver, 800 Series Ethernet Linux driver, NPU drivers, UEFI firmware, Server Firmware Update Utility, QAT drivers for Windows, and some Intel processors.
AMD published 15 advisories covering 45 vulnerabilities, including one critical-severity flaw and two dozen high-severity issues. Tracked as CVE-2026-0481 (CVSS score of 9.2), the critical bug impacts the AMD Device Metrics Exporter (ROCm ecosystem), which exposes port 50061 on all network interfaces by default, allowing unauthenticated users to access the GPU-Agent gRPC server. AMD explains that unrestricted IP address binding could allow a remote attacker to perform unauthorized changes to GPU configuration, potentially resulting in loss of availability.
AMD has addressed high-severity weaknesses within Secure Processor (ASP), general-purpose input/output controller (GPIO), Revenera InstallShield, Ionic cloud driver for ESXi, RAID driver, chipset drivers, CPU operation cache on Zen 2-based products, graphics and datacenter accelerator products, EPYC and EPYC Embedded processor platforms, and some optional software tools. Successful exploitation could lead to privilege escalation, arbitrary code execution, and arbitrary read/write access to victim VM/process data.
Organizations using affected Intel and AMD products should prioritize applying the available patches. The critical nature of CVE-2026-20794 and CVE-2026-0481, both with CVSS scores above 9.0, underscores the urgency for data center and cloud environments. Administrators should also review the full list of advisories for other high-severity issues that may impact their specific deployments.