Microsoft May 2026 Patch Tuesday Fixes 137 Flaws, 31 Critical, No Active Exploitation Observed

Microsoft released its monthly security update for May 2026, addressing 137 vulnerabilities across its product portfolio, 31 of which are rated critical. In a positive sign for defenders, Microsoft has not observed any of the included vulnerabilities being actively exploited in the wild. The update spans a wide range of products, including Windows, Office, Azure, SharePoint, and Dynamics 365, with remote code execution (RCE) vulnerabilities dominating the critical list.

Among the most notable critical flaws is CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon that allows an unauthenticated attacker to execute code over a network. An attacker could send a specially crafted network request to a Windows server acting as a domain controller, potentially causing the Netlogon service to improperly handle the request and run arbitrary code without requiring authentication. This vulnerability is particularly concerning given Netlogon's role in domain authentication and its history of critical flaws.

CVE-2026-32161 is a critical use-after-free vulnerability in the Windows Native WiFi Miniport Driver, enabling an unauthorized attacker to execute code over an adjacent network. The flaw involves a race condition where concurrent execution using a shared resource with improper synchronization can be exploited. This vulnerability could be leveraged in attacks against enterprise environments where wireless networks are prevalent.

Several critical vulnerabilities affect Microsoft Office and Word, including CVE-2026-40358, CVE-2026-40361, CVE-2026-40366, and CVE-2026-40367, all of which are use-after-free or untrusted pointer dereference flaws allowing local code execution. CVE-2026-40363 and CVE-2026-40364 are heap-based buffer overflows in Office and Word respectively, with the latter involving type confusion. These vulnerabilities typically require user interaction, such as opening a malicious file.

In the Azure space, CVE-2026-33109 and CVE-2026-33844 are critical access control and input validation flaws in Azure Managed Instance for Apache Cassandra, both allowing an authorized attacker to execute code over a network. CVE-2026-40365 is a critical SharePoint vulnerability where an authenticated attacker with at least Site Owner privileges could inject and execute code remotely on the SharePoint Server. CVE-2026-40403 is a critical heap-based buffer overflow in Windows Win32K – GRFX that could lead to a contained execution environment escape, particularly dangerous in Remote Desktop scenarios where an attacker-controlled server could trigger RCE on a connecting client.

CVE-2026-35421 is a critical heap-based buffer overflow in Windows GDI that requires a user to open a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint. CVE-2026-41096 is a critical heap-based overflow in Windows DNS Client, exploitable by sending a crafted DNS response to a vulnerable system. CVE-2026-42831 is a critical heap-based buffer overflow in Office for Android, requiring user interaction to open a malicious file. CVE-2026-42898 is a critical code injection vulnerability in Microsoft Dynamics 365 (on-premises), allowing an authorized attacker to modify process session state and trigger malicious code execution.

Microsoft also highlighted several 'important' vulnerabilities deemed 'more likely' to be exploited, including CVE-2026-33835 (Windows Cloud Files Mini Filter Driver EoP), CVE-2026-33837 (Windows TCP/IP EoP), CVE-2026-33840 (Win32k EoP), CVE-2026-33841 (Windows Kernel EoP), and CVE-2026-35416 (Windows Ancillary Function Driver for WinSock EoP). While no active exploitation has been detected, the sheer volume of critical RCE flaws across core Windows components, Office, and cloud services underscores the importance of prioritizing this month's patches. Cisco Talos has released Snort rules to detect exploitation attempts against several of these vulnerabilities.