Microsoft's May 2026 Patch Tuesday Fixes 137 CVEs, No Zero-Days Exploited in the Wild
For the first time in nearly two years, Microsoft's May 2026 Patch Tuesday contained no actively exploited zero-days, but fixed 137 CVEs including two critical Office Word RCEs exploitable via the Preview Pane.
Microsoft's May 2026 Patch Tuesday marked a notable milestone: for the first time in nearly two years, the monthly security update contained no actively exploited zero-day vulnerabilities or previously disclosed flaws. However, the reprieve was accompanied by a massive release of 137 CVEs, 13 of which Microsoft considers likely candidates for exploitation and nine rated as critical. Among the update includes two Microsoft Office Word remote code execution vulnerabilities—CVE-2026-40361 and CVE-2026-40364—both exploitable via the Preview Pane without any user interaction, making them particularly dangerous for enterprise environments.
The two Office Word flaws, both rated CVSS 8.4, allow an attacker to execute code locally by simply sending a maliciously crafted document. CVE-2026-40361 is a memory-related vulnerability, while CVE-2026-40364 stems from a type-confusion issue. "Outlook's reading pane has long been a common attack vector; a single incoming email can trigger exploitation without the user ever opening it," warned Amol Sarwate, head of security research at Cohesity. The lack of required user interaction elevates the Preview Pane attack vector elevates these bugs beyond typical Office vulnerabilities.
Three vulnerabilities received near-maximum severity scores of 9.9 on the CVSS scale. CVE-2026-42898 is a remote code execution flaw in Microsoft Dynamics 365 On-premises that allows an authenticated attacker to execute arbitrary code without elevated privileges. Jack Bicer, director of vulnerability research at Action1, urged organizations to patch immediately: "With no user interaction required, and the potential to impact systems beyond the vulnerable component's original security scope, this vulnerability poses serious enterprise risk." The other two 9.9-rated bugs affect Azure: CVE-2026-42823 is an elevation-of-privilege vulnerability in Azure Logic Apps, and CVE-2026-33109 is an RCE in Azure Managed Instance for Apache Cassandra—though Microsoft has already fully mitigated the latter.
CVE-2026-41089, a remote code execution in Windows Netlogon, also demands priority patching. Jason Kikta, security researcher at Automox, described it as particularly concerning: "An attacker sends a crafted network request to a domain controller. No authentication required. No user interaction required." He advised organizations to monitor for unexpected crashes or service restarts on the Netlogon service and to watch for anomalous Netlogon traffic patterns from non-domain controller sources.
This is the third month in 2026 where Microsoft has disclosed more than 100 CVEs in a single Patch Tuesday. Through May, the company has already patched over 500 CVEs, putting it on pace to surpass the annual record of 1,245 bugs disclosed in 2020, noted Satnam Naranag, senior staff research engineer at Tenable. Tom Gallagher, Microsoft's vice president of engineering, attributed the large release volume partly to AI-assisted vulnerability discovery: "Advanced AI models are part of the discovery picture and help to accelerate it. They enable us to reason about code paths and configurations at a speed and consistency that would not be possible through manual review alone."
A total of seven CVEs affecting Copilot and Azure AI Foundry highlighted the growing exposure organizations face from AI tools. Tyler Reguly, associate director of security R&D at Fortra, noted that 6% of this month's CVEs were AI-based. "We know that number is only going to grow from here," he said, urging organizations to inventory all AI instances in use, especially those not backed by a company with a regular update schedule like Microsoft.
The absence of zero-days in this cycle provides a rare window for organizations to catch up on patching without the urgency of active exploitation. However, the sheer volume of fixes—including critical flaws in Office, Dynamics 365, Azure, and Netlogon—underscores the growing complexity of maintaining enterprise security in an era of AI-accelerated vulnerability discovery.