Microsoft May 2026 Patch Tuesday Fixes 120 Flaws, No Zero-Days
Microsoft's May 2026 Patch Tuesday addresses 120 vulnerabilities, including 17 critical flaws, with no zero-days disclosed this month.
Microsoft released its May 2026 Patch Tuesday updates today, fixing 120 vulnerabilities across its product portfolio. The update includes 17 critical-severity flaws, 14 of which are remote code execution vulnerabilities, along with two elevation of privilege bugs and one information disclosure issue. Notably, Microsoft disclosed no zero-day vulnerabilities in this month's release.
The most significant fixes include multiple Microsoft Office remote code execution vulnerabilities that can be triggered simply by opening a malicious file in the preview pane. This attack vector makes the flaws particularly dangerous for organizations that frequently handle email attachments. Microsoft strongly recommends updating Office immediately, especially for users who commonly receive attachments.
Other notable vulnerabilities include CVE-2026-35421, a Windows GDI remote code execution flaw that can be exploited by opening a malicious Enhanced Metafile (EMF) file in Microsoft Paint. CVE-2026-40365 is a SharePoint Server remote code execution vulnerability that allows an authenticated attacker to execute code remotely on a SharePoint server. CVE-2026-41096 affects the Windows DNS Client, where an attacker-controlled DNS server can send a specially crafted DNS response to corrupt memory and achieve remote code execution.
The full breakdown of bug categories includes 61 elevation of privilege vulnerabilities, 31 remote code execution flaws, 14 information disclosure bugs, 13 spoofing vulnerabilities, 8 denial of service issues, and 6 security feature bypass vulnerabilities. These numbers exclude flaws fixed earlier this month in Mariner, Azure, Copilot, Microsoft Teams, and Microsoft Partner Center, as well as 131 Microsoft Edge/Chromium flaws addressed by Google.
Several other vendors also released security updates this month. Adobe patched vulnerabilities in After Effects, Premiere Pro, Media Encoder, Commerce, and Illustrator. Apple updated macOS, iOS, watchOS, iPadOS, visionOS, and tvOS. Cisco addressed multiple product flaws including a denial of service issue requiring manual system reboots. Fortinet fixed two critical flaws in FortiSandbox and FortiAuthenticator. Google's Android May security bulletin addressed 10 vulnerabilities. Ivanti patched a high-severity Endpoint Manager Mobile remote code execution vulnerability that had been exploited in zero-day attacks. Mozilla fixed five Firefox vulnerabilities. Palo Alto Networks warned of a critical PAN-OS User-ID Authentication Portal flaw exploited as a zero-day, though patches remain unavailable. SAP released fixes for one high-severity and two critical flaws.
While the absence of zero-days is a positive sign, the sheer volume of critical remote code execution vulnerabilities, particularly those exploitable via the preview pane, underscores the importance of prompt patching. IT and security administrators should prioritize deploying these updates, especially for Microsoft Office and Windows DNS Client, to mitigate the risk of exploitation.