May 2026 Patch Tuesday: Microsoft Fixes 137 Fixes, No Zero-Days, but Critical Word and GDI Flaws Demand Urgent Patching
Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities, 31 critical, with no zero-days exploited in the wild, but two critical remote code execution flaws in Microsoft Word and Windows GDI require immediate attention.
Microsoft released its May 2026 Patch Tuesday update, fixing 137 security vulnerabilities, 31 of which are rated critical. Notably, none of the patching this month includes no zero-days that have been actively exploited in the wild. However, security experts warn that the sheer volume of critical remote code execution (RCE) bugs across Windows, Office, Azure, SharePoint, and graphics components means attackers who trick users into opening malicious documents or connecting to malicious services could still gain full system control.
Two vulnerabilities stand out as particularly dangerous. The first is CVE-2026-40361, a critical use-after-free vulnerability in Microsoft Word with a CVSS score of 8.4. Use-after-free flaws occur when a program fails to clear a pointer to freed memory, allowing an attacker to manipulate the program. If a user opens or even previews a specially crafted Word document, an attacker can execute arbitrary code with the current user's privileges, potentially installing malware, stealing credentials, or moving laterally through a network.
The second critical flaw is CVE-2026-35421, a heap-based buffer overflow in Windows Graphics Device Interface (GDI) with a CVSS score of 7.8. This vulnerability requires a user interaction vulnerability requires a victim to open a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint. Once triggered, the overflow can lead to full system compromise. Microsoft notes that the affected graphics functionality is in a core Windows component, making this a high-priority fix for all Windows users.
Beyond these two highlighted bugs, the Patch Tuesday release includes critical RCE fixes across multiple product families. Azure, SharePoint, and various Windows services all received patches for vulnerabilities that could allow an attacker to execute code remotely without authentication in some cases. The absence of zero-days is a positive sign, but the breadth of critical flaws means organizations should treat this update as urgent.
Microsoft has not observed any of the patched vulnerabilities being exploited in production environments, but the company advises all users to apply updates immediately. The update is available through Windows Update, and users can check for updates by navigating to Settings > Windows Update > Check for updates. Restarting the system after installation is required to complete the patching process.
This month's release underscores the ongoing challenge of maintaining security across Microsoft's vast ecosystem. While the lack of zero-days is welcome, the 31 critical vulnerabilities—many of which require only user interaction to trigger RCE—demonstrate that attackers continue to target common user actions like opening documents or viewing images. Organizations should prioritize patching for Office and graphics components, especially in environments where users frequently handle untrusted files.
For home users, the steps are straightforward: ensure Windows Update is set to automatically install updates, or manually check for updates as described above. For enterprise administrators, testing and deploying these patches should be a top priority, particularly for systems that handle sensitive data or are exposed to external email and web traffic. The full list of CVEs is available in the Microsoft Security Response Center (MSRC) release notes.