Microsoft and Adobe Patch Tuesday, May 2026 Security Update Review

Summary

Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities across its ecosystem, including 30 critical and 103 important-severity issues affecting Windows, Edge, .NET, M365 Copilot, Hyper-V, and other components. Notable critical CVEs include remote code execution flaws in Microsoft Word and Windows Netlogon, plus an authentication bypass in the Microsoft SSO Plugin for Jira & Confluence. Adobe simultaneously released 10 security advisories patching 52 vulnerabilities (27 critical) across Premiere Pro, Media Encoder, After Effects, Commerce, Connect, and other products.

Full text

Table of ContentsMicrosoft Patch Tuesday forMay2026Adobe Patches for May 2026Critical Severity Vulnerabilities Patched inMayPatch Tuesday EditionOther Microsoft Vulnerability HighlightsMicrosoft Release SummaryDiscover and Prioritize Vulnerabilities inVulnerability Management, Detection & Response (VMDR)Rapid Response withTruRisk EliminateQualys Monthly Webinar Series May 2026’s Patch Tuesday arrives with Microsoft addressing a fresh set of vulnerabilities across its ecosystem, reinforcing the ongoing need for timely patching in an increasingly threat-heavy landscape. Here’s a quick breakdown of what you need to know. Microsoft Patch Tuesday for May 2026 This month’s release addresses 137 vulnerabilities, including 30 critical and 103 important-severity vulnerabilities. In this month’s updates, Microsoft has not addressed any publicly disclosed zero-day vulnerability. Microsoft has addressed 128 vulnerabilities in Microsoft Edge (Chromium-based) that were patched earlier this month. Microsoft Patch Tuesday, May edition, includes updates for vulnerabilities in Windows Hyper-V, .NET, M365 Copilot, Windows GDI, Windows Internet Key Exchange (IKE) Protocol, Windows Kernel, Visual Studio Code, Windows Message Queuing, Azure Connected Machine Agent, Windows Common Log File System Driver, Windows Remote Desktop, and more. This month’s release includes fixes for several high-severity issues that could potentially enable remote code execution, privilege escalation, or denial-of-service attacks. As always, timely patch deployment is crucial to reduce exposure and ensure systems remain resilient against exploitation attempts. The May 2026 Microsoft vulnerabilities are classified as follows: Vulnerability CategoryQuantitySeveritiesSpoofing Vulnerability15Critical: 4Important: 11Denial of Service Vulnerability8Critical: 8Elevation of Privilege Vulnerability61Critical: 5Important: 56Information Disclosure Vulnerability15Critical: 5Important: 10Remote Code Execution Vulnerability31Critical: 16Important: 15Security Feature Bypass Vulnerability6Important: 6 Adobe Patches for May 2026 Adobe has released 10 security advisories to address 52 vulnerabilities in Adobe Premiere Pro, Adobe Media Encoder, Adobe After Effects, Adobe Commerce, Adobe Connect, Adobe Illustrator, Adobe Substance 3D Designer, Content Credentials SDK, Adobe Substance 3D Sampler, and Adobe Substance 3D Painter. 27 of these vulnerabilities are rated critical. Successful exploitation of these vulnerabilities may lead to privilege escalation, Security feature bypass, arbitrary file system read, application denial-of-service, and arbitrary code execution. Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition CVE-2026-40364: Microsoft Word Remote Code Execution Vulnerability A type confusion vulnerability in Microsoft Word may allow an unauthenticated attacker to execute arbitrary code remotely. CVE-2026-41089: Windows Netlogon Remote Code Execution Vulnerability A stack-based buffer overflow vulnerability in Windows Netlogon could allow an unauthenticated attacker to execute code over the network. An attacker may exploit the vulnerability by sending a specially crafted network request to a Windows server that is acting as a domain controller. CVE-2026-40361 & CVE-2026-40366: Microsoft Word Remote Code Execution Vulnerability A use-after-free vulnerability in Microsoft Word may allow an unauthenticated attacker to execute arbitrary code remotely. CVE-2026-41103: Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability Incorrect implementation of the authentication algorithm in the Microsoft SSO Plugin for Jira & Confluence may allow an unauthenticated attacker to elevate their privileges across the network. An attacker could exploit this vulnerability by sending a specially crafted SSO response during the login process that tricks the system into accepting a forged identity. This could allow the attacker to sign in without authenticating the user through Microsoft Entra ID. CVE-2026-35421: Windows GDI Remote Code Execution Vulnerability A heap-based buffer overflow vulnerability in Windows GDI could allow an unauthenticated attacker to execute arbitrary code remotely. CVE-2026-40363 & CVE-2026-42831: Microsoft Office Remote Code Execution Vulnerability A heap-based buffer overflow vulnerability in Microsoft Office may allow an unauthenticated attacker to execute arbitrary code remotely. CVE-2026-41096: Windows DNS Client Remote Code Execution Vulnerability A heap-based buffer overflow vulnerability in Microsoft Windows DNS may allow an unauthenticated attacker to execute arbitrary code remotely. CVE-2026-32161: Windows Native WiFi Miniport Driver Remote Code Execution Vulnerability A race condition in the Windows Native WiFi Miniport Driver could allow an unauthenticated attacker to execute code over an adjacent network. CVE-2026-40358: Microsoft Office Remote Code Execution Vulnerability A use-after-free vulnerability in Microsoft Office could allow an unauthenticated attacker to execute arbitrary code remotely. CVE-2026-40365: Microsoft SharePoint Server Remote Code Execution Vulnerability An insufficient access-control granularity flaw in Microsoft Office SharePoint Server allows an authenticated attacker to execute arbitrary code remotely. CVE-2026-40367: Microsoft Word Remote Code Execution Vulnerability A pointer dereference vulnerability in Microsoft Word allows an unauthenticated attacker to execute code locally. CVE-2026-40402: Windows Hyper-V Elevation of Privilege Vulnerability A use-after-free vulnerability in Windows Hyper-V may allow an unauthenticated attacker to elevate local privileges. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges. CVE-2026-40403: Windows Graphics Component Remote Code Execution Vulnerability A heap-based buffer overflow vulnerability in Windows Win32K – GRFX may allow an authenticated attacker to execute code locally. CVE-2026-42898: Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability A code-injection vulnerability in Microsoft Dynamics 365 (on-premises) may allow an authenticated attacker to execute code over the network. CVE-2026-33821: Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability An improper privilege management flaw in Microsoft Dynamics 365 Customer Insights could allow an authenticated attacker to elevate their privileges across a network. CVE-2026-42826: Azure DevOps Information Disclosure Vulnerability Exposing sensitive information to an unauthenticated actor in Azure DevOps may allow an attacker to disclose it over a network. CVE-2026-35428: Azure Cloud Shell Spoofing Vulnerability A command injection vulnerability in Azure Cloud Shell could allow an unauthenticated attacker to perform network spoofing. CVE-2026-35435: Azure AI Foundry Elevation of Privilege Vulnerability An improper access-control flaw in Azure AI Foundry M365 published agents could allow an unauthenticated attacker to elevate their privileges across the network. CVE-2026-34327: Microsoft Partner Center Spoofing Vulnerability An externally controlled reference to a resource in another sphere in Microsoft Partner Center could allow an unauthenticated attacker to perform network spoofing. CVE-2026-33844: Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability An improper input validation flaw in Azure Managed Instance for Apache Cassandra may allow an authenticated attacker to execute code over a network. CVE-2026-33823: Microsoft Team Events Portal Information Disclosure Vulnerability An improper authentication flaw in Microsoft Teams may allow an authenticated attacker to disclose information over a network. CVE-2026-32207: Azure Machine Learning Notebook Spoofing Vulnerability A cross-site scripting vulnerability in Azure Machine Learning could allow an unauthenticated attacker to perform network spoofing. CVE-2026-40379: Micros

Indicators of Compromise

• cve — CVE-2026-40364
• cve — CVE-2026-41089
• cve — CVE-2026-40361
• cve — CVE-2026-40366
• cve — CVE-2026-41103

Entities