Microsoft May 2026 Patch Tuesday Fixes Over 120 CVEs, Including Critical Word RCE and Hyper-V Escape
Microsoft's May 2026 Patch Tuesday addresses over 120 vulnerabilities with no zero-days, but includes critical Word RCE bugs exploitable via the Preview Pane and a Hyper-V guest-to-host escape.
Microsoft released its May 2026 Patch Tuesday update on May 12, fixing more than 120 CVE-numbered vulnerabilities. Notably, none of the flaws are publicly disclosed publicly or known to be actively exploited, a departure from recent months. However, security researchers are urging organizations to prioritize several high-impact patches that could enable remote code execution or privilege escalation.
Among the most concerning fixes are four critical remote code execution bugs in Microsoft Word. Two of these, CVE-2026-40361 and CVE-2026-40364, have been flagged by Microsoft as more likely to be exploited. According to Satnam Narang, senior staff research engineer at Tenable, these flaws can be triggered simply by viewing a malicious document in the Preview Pane—no user interaction beyond opening an email is required. "Therefore, patching is the most reliable way to protect against flaws like these," Narang said.
Another critical vulnerability is CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon that could lead to remote code execution on domain controllers. Jason Kikta, CTO at Automox, warned that "half-patched forests are not a defensible state for a pre-auth DC bug." The flaw can be exploited by sending a specially crafted network request to a Windows server acting as a domain controller, without requiring authentication. Kikta also recommended restricting Netlogon traffic at the network layer.
CVE-2026-40402 is an elevation of privilege vulnerability in Hyper-V, Windows' built-in hypervisor. It could allow a malicious guest virtual machine to force the host kernel to read from an attacker-controlled memory address, potentially enabling a guest-to-host escape. Although Microsoft assessed the exploit likelihood as lower, Kikta advised patching multi-tenant VDI, on-premises virtualization with untrusted workloads, and any Hyper-V host running guests not fully under the organization's control.
Finally, CVE-2026-41096 is a remote code execution vulnerability in the Windows DNS Client. An attacker with a man-in-the-middle position or control of a rogue DNS server could send a crafted DNS response to trigger unauthenticated RCE on any Windows machine. Dustin Childs of Trend Micro's Zero Day Initiative, noted that since the DNS Client runs on virtually every Windows system, the attack surface is enormous. "Any Windows host issuing a compromised resolver," Kikta added.
Organizations should prioritize these patches immediately, especially for domain controllers, Hyper-V hosts, and all Windows endpoints. While the absence of zero-days is welcome, the severity of these vulnerabilities—particularly the Word Preview Pane bugs and the Netlogon buffer overflow—demands urgent attention to prevent potential widespread exploitation.