Microsoft Patches 137 Vulnerabilities in May 2026 Patch Tuesday, Including Critical SSO Flaw and Word RCE Bugs
Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities, including a critical privilege escalation flaw in the Microsoft SSO Plugin for Jira & Confluence and two Word RCE bugs exploitable via the Preview Pane.
Microsoft on Tuesday released its May 2026 Patch Tuesday updates, addressing 137 vulnerabilities across its product portfolio. None of the flaws have been reported as exploited in the wild, but roughly a dozen carry an exploitability rating of 'exploitation more likely,' signaling that attackers could soon weaponize them.
The most severe vulnerability is CVE-2026-41103, a critical-severity elevation-of-privilege flaw in the Microsoft SSO Plugin for Jira & Confluence. The bug stems from an incorrect implementation of the authentication algorithm, potentially allowing an attacker to gain elevated access. Microsoft urges organizations using the plugin to prioritize patching.
Two high-severity remote code execution vulnerabilities in Microsoft Word — CVE-2026-40364 (type confusion) and CVE-2026-40361 (use-after-free), both with a CVSS score of 8.4 — are flagged as 'exploitation more likely.' According to Tenable senior staff research engineer Satnam Narang, 'These flaws could be exploited by an attacker who sends a malicious document to a target. The other common thread across these vulnerabilities is that a target doesn't need to even open the document to trigger the exploit. Exploitation is possible just by viewing a malicious document in the Preview Pane. Therefore, patching is the most reliable way to protect against flaws like these.'
Beyond the Word bugs, Microsoft addressed high-severity privilege escalation issues in Windows Remote Desktop, Windows Common Log File System Driver, Windows Kernel, Azure AI Foundry, Windows Win32k, Windows Ancillary Function Driver for WinSock, Windows TCP/IP, and Windows Cloud Files Mini Filter Driver. Two additional high-severity Word weaknesses were also resolved but are considered less likely to be exploited.
Critical-severity fixes were rolled out for Dynamics 365 (on-premises), Azure Logic Apps, Windows DNS, Windows Netlogon, Windows Hyper-V, and Azure SDK. The updates also cover high-severity flaws in Copilot, .NET, Azure services, Windows kernel and kernel-mode drivers, Win32K, LDAP, SQL Server, Edge, Visual Studio Code, and various Windows components and services.
In related news, Adobe released patches for 52 vulnerabilities across 10 products, including two critical-severity code execution flaws. SAP, Cisco, Oracle, and Progress also issued security updates this month, with Oracle patching 450 vulnerabilities in its April 2026 Critical Patch Update.
Organizations should prioritize deploying the May 2026 Patch Tuesday updates, particularly for the SSO plugin and Word vulnerabilities, given the ease of exploitation via the Preview Pane. The absence of in-the-wild exploitation provides a narrow window for defenders to patch before attackers develop exploits.