Microsoft’s May 2026 May Patch Tuesday Fixes 118 CVEs, No Zero-Days Exploited for First Time Since June 2024
Microsoft’s May 2026 Patch Tuesday addresses 118 vulnerabilities, including a critical SSO plugin flaw (CVE-2026-41103) and marks the first month since June 2024 with no zero-days exploited in the wild.
Microsoft released its May 2026 Patch Tuesday update on May 12, addressing 118 CVEs — 16 rated critical and 102 important. For the first time since June 2024, none of the vulnerabilities were publicly disclosed or exploited in the wild before the patch, signaling a rare reprieve for defenders. The update spans a wide range of products, including Windows, Office, Azure, .NET, Edge, and several AI tools like Copilot and Azure AI Foundry.
The most notable critical vulnerability is CVE-2026-41103, an elevation of privilege flaw in the Microsoft SSO Plugin for Jira & Confluence. With a CVSSv3 score of 9.1, it allows an unauthenticated attacker to send a specially crafted response during login, forging an identity and bypassing Microsoft Entra ID authentication. This grants access to Jira and Confluence and Jira data, though limited by the permissions of the impersonated user. Microsoft assessed it as “Exploitation More Likely,” making it a priority for organizations using Atlassian products with Microsoft SSO.
Three Windows Kernel elevation of privilege vulnerabilities — CVE-2026-33841, CVE-2026-35420, and CVE-2026-40369 — were also patched, each rated important with CVSS 7.8. Both CVE-2026-33841 and CVE-2026-40369 are marked “Exploitation More Likely,” allowing a local attacker to escalate to SYSTEM or Medium/High integrity. These bring the total Windows Kernel EoP fixes in 2026 to 13, highlighting a persistent focus on kernel-level security.
Microsoft Word received patches for four critical remote code execution vulnerabilities: CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, and CVE-2026-40367, each with a CVSS score of 8.4. Two of these — CVE-2026-40361 and CVE-2026-40364 — are considered more likely to be exploited. Attackers can trigger them via social engineering, sending malicious files that execute code when opened. Notably, the Preview Pane is an attack vector for all four, increasing the risk for users who preview documents in Outlook or File Explorer.
A critical remote code execution vulnerability in Windows Netlogon, CVE-2026-41089, was assigned a CVSSv3 score of 9.8. An unauthenticated attacker can exploit a stack-based buffer overflow by sending a crafted network request to a domain controller. Despite the severity, Microsoft assessed it as “Exploitation Less Likely,” possibly due to the complexity of reliable exploitation. Still, domain controllers remain high-value targets, and administrators should prioritize patching.
Elevation of privilege vulnerabilities dominated this month’s release, accounting for 48.3% of all patches, followed by remote code execution at 24.6%. The update also includes fixes for Azure services, GitHub Copilot, Visual Studio Code, and Windows components like DNS, LDAP, and SMB. Tenable has released plugins for all patched vulnerabilities, urging organizations to scan and update systems promptly.
This month’s absence of in-the-wild zero-days may reflect improved internal discovery or a temporary lull in attacker activity, but it does not diminish the urgency of patching. With critical flaws in widely used products like Microsoft Word, Netlogon, and the SSO plugin for Jira and Confluence, the window for attackers to reverse-engineer patches and develop exploits is narrow. As always, security teams should prioritize deployment of these updates, especially for internet-facing and domain-joined systems.