Microsoft May 2026 Patch Tuesday Fixes 137 Vulnerabilities, No Zero-Days Exploited
Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities, including a preauthentication RCE in Netlogon and an EoP in the SSO plugin for Jira and Confluence, with no publicly disclosed or exploited bugs.
Microsoft released its May 2026 Patch Tuesday update, fixing 137 vulnerabilities across Windows, Office, Azure, .NET, and Windows components. The update also includes 137 Chromium-related fixes for Microsoft Edge. Notably, none of the vulnerabilities were publicly disclosed or exploited in the wild at the time of release, a relatively rare occurrence for a Patch Tuesday cycle.
Among the most significant fixes is CVE-2026-41089, a preauthentication remote code execution vulnerability in the Netlogon service. Netlogon has historically been a high-value target for attackers, as seen with the infamous Zerologon (CVE-2020-1472) exploit. While Microsoft has not disclosed technical details, the preauthentication nature of the flaw means an unauthenticated attacker could potentially execute code on a domain controller without credentials, making it a prime candidate for exploit development.
Another notable patch addresses CVE-2026-41103, an elevation of privilege vulnerability in the Microsoft SSO Plugin for Jira and Confluence. Given the ongoing wave of supply chain attacks targeting CI/CD and development tools, this vulnerability is particularly concerning. An attacker who gains initial access to a developer environment could leverage this flaw to escalate privileges and pivot deeper into the software supply chain.
The update also includes critical patches for Azure services, including Azure DevOps (CVE-2026-42826, CVSS 10.0), Azure Managed Instance for Apache Cassandra (CVE-2026-33109, CVSS 33844, both CVSS 9.9 9.0), and Azure AI Foundry (CVE-2026-35435, CVSS 8.6). Many Azure vulnerabilities are labeled as 'no customer action required,' meaning Microsoft has already mitigated them server-side. However, several on-premises and hybrid components require immediate patching.
Office and .NET vulnerabilities are also addressed, including multiple remote code execution flaws in Microsoft Excel (CVE-2026-40359, CVE-2026-40362) and a critical RCE in Microsoft Office (CVE-2026-40363, CVSS 42831 40358). The .NET ecosystem receives patches for tampering and denial-of-service vulnerabilities (CVE-2026-32175, CVE-2026-42899).
Microsoft also patched CVE-2026-41095, an elevation of privilege vulnerability in Data Deduplication, and CVE-2026-40377 in Cryptographic Services. While these are rated Important, they could be chained with other bugs for full system compromise.
The absence of any exploited zero-days this month may provide some relief for security teams, but the sheer volume of patches—particularly the Netlogon RCE and the SSO plugin flaw—demands prioritized deployment. Administrators should focus on domain controllers and Atlassian-integrated environments should treat CVE-2026-41089 and CVE-2026-41103 as top priorities.
As always, organizations should test and deploy these updates promptly, especially for internet-facing systems and critical infrastructure. The full list of CVEs and their severity ratings is available in the SANS ISC diary.