Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

Summary

Microsoft released its May 2026 Patch Tuesday update addressing 120 vulnerabilities across its product portfolio, including 17 critical flaws—14 remote code execution, 2 privilege escalation, and 1 information disclosure. No zero-day exploits were disclosed this month. Notable vulnerabilities include remote code execution flaws in Microsoft Office, Windows GDI, SharePoint Server, and Windows DNS Client, with particular emphasis on Office file exploits via preview pane that warrant immediate patching.

Full text

Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days By Lawrence Abrams May 12, 2026 02:08 PM 0 Today is Microsoft's May 2026 Patch Tuesday, with security updates for 120 flaws and no zero-days disclosed. This Patch Tuesday addresses 17 "Critical" vulnerabilities, 14 of which are remote code execution, 2 are elevation of privilege, and 1 is an information disclosure flaw. The number of bugs in each vulnerability category is listed below: 61 Elevation of Privilege Vulnerabilities 6 Security Feature Bypass Vulnerabilities 31 Remote Code Execution Vulnerabilities 14 Information Disclosure Vulnerabilities 8 Denial of Service Vulnerabilities 13 Spoofing Vulnerabilities When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include flaws in Mariner, Azure, Copilot, Microsoft Teams, and Microsoft Partner Center that were fixed by Microsoft earlier this month. There were also 131 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded. To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5089549 & KB5087420 cumulative updates and the Windows 10 KB5087544 extended security update. Noteworthy vulnerabilities Microsoft has not disclosed any zero-day vulnerabilities in this month's Patch Tuesday. However, there are some vulnerabilities fixed today that IT and security admins should be aware of. As part of today's updates, Microsoft has fixed numerous vulnerabilities in Microsoft Office, Word, and Excel that could lead to remote code execution. These flaws are exploited by opening malicious files, which can result in remote code execution. As many of these can be exploited via the preview pane, it is strongly advised to update Microsoft Office as soon as possible, especially if they commonly receive attachments. A list of the Microsoft Office, Word, and Excel flaws can be found in our May 2026 Patch Tuesday report. Other interesting vulnerabilities are: CVE-2026-35421 - Windows GDI Remote Code Execution Vulnerability: This flaw can be exploited by opening a malicious Enhanced Metafile (EMF) file using Microsoft Paint. CVE-2026-40365 - Microsoft SharePoint Server Remote Code Execution Vulnerability: An authenticated attacker can perform a network-based attack that remotely executes code on a SharePoint server. CVE-2026-41096 - Windows DNS Client Remote Code Execution Vulnerability: An attacker-controlled DNS server could send a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory. This would allow the attacker to run code on the vulnerable system remotely. Recent updates from other companies Other vendors who released updates or advisories in May 2026 include: Adobe has released security updates for After Effects, Premiere Pro, Media Encoder, Commerce, Illustrator, and more. AMD disclosed updates for an elevation of privileges vulnerability in the CPU operation (op/µop) cache on Zen 2‑based. Apple released security updates for macOS, iOS, watchOS, iPadOS, visionOS, and tvOS. Cisco released security updates for numerous products, including a DoS flaw that requires manual rebooting of affected systems for recovery. Fortinet released security updates for two critical flaws in FortiSandbox and FortiAuthenticator. Google released Android's May security bulletin, which fixes 10 vulnerabilities. Ivanti released security updates for a high-severity Endpoint Manager Mobile (EPMM) remote code execution vulnerability, which was exploited in zero-day attacks. Mozilla released security updates for five Firefox vulnerabilities. Palo Alto Networks warned of a critical PAN-OS User-ID Authentication Portal flaw that was exploited in attacks as a zero-day. Patches have still not been released, but mitigations are available. SAP released the May security updates, which include fixes for one high-severity and two Critical flaws. vm2 released security updates for a critical vulnerability in the popular Node.js sandboxing library. The May 2026 Patch Tuesday Security Updates Below is the complete list of resolved vulnerabilities in the May 2026 Patch Tuesday updates. To access the full description of each vulnerability and the systems it affects, you can view the full report here. Tag CVE ID CVE Title Severity .NET CVE-2026-35433 .NET Elevation of Privilege Vulnerability Important .NET CVE-2026-32177 .NET Elevation of Privilege Vulnerability Important .NET CVE-2026-32175 .NET Core Tampering Vulnerability Important AMD CPU Branch CVE-2025-54518 AMD: CVE-2025-54518 CPU OP Cache Corruption Important ASP.NET Core CVE-2026-42899 ASP.NET Core Denial of Service Vulnerability Important Azure Connected Machine Agent CVE-2026-40381 Azure Connected Machine Agent Elevation of Privilege Vulnerability Important Azure Logic Apps CVE-2026-42823 Azure Logic Apps Elevation of Privilege Vulnerability Important Azure Machine Learning CVE-2026-33833 Azure Machine Learning Notebook Spoofing Vulnerability Important Azure Monitor Agent CVE-2026-32204 Azure Monitor Agent Elevation of Privilege Vulnerability Important Azure Monitor Agent CVE-2026-42830 Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability Important Azure SDK CVE-2026-33117 Azure SDK for Java Security Feature Bypass Vulnerability Important Data Deduplication CVE-2026-41095 Data Deduplication Elevation of Privilege Vulnerability Important Dynamics Business Central CVE-2026-40417 Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability Important GitHub Copilot and Visual Studio CVE-2026-41109 GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability Important M365 Copilot CVE-2026-41100 Microsoft 365 Copilot for Android Spoofing Vulnerability Important M365 Copilot CVE-2026-42893 Microsoft Outlook for iOS Tampering Vulnerability Important M365 Copilot CVE-2026-26164 M365 Copilot Information Disclosure Vulnerability Critical M365 Copilot for Desktop CVE-2026-41614 M365 Copilot for Desktop Spoofing Vulnerability Important Microsoft Data Formulator CVE-2026-41094 Microsoft Data Formulator Remote Code Execution Vulnerability Important Microsoft Dynamics 365 (on-premises) CVE-2026-42898 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability Critical Microsoft Dynamics 365 (on-premises) CVE-2026-42833 Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability Important Microsoft Office CVE-2026-42832 Microsoft Office Spoofing Vulnerability Important Microsoft Office CVE-2026-42831 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2026-40363 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office CVE-2026-40419 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important Microsoft Office CVE-2026-40358 Microsoft Office Remote Code Execution Vulnerability Critical Microsoft Office Click-To-Run CVE-2026-35436 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important Microsoft Office Click-To-Run CVE-2026-40420 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important Microsoft Office Click-To-Run CVE-2026-40418 Microsoft Office Click-To-Run Elevation of Privilege Vulnerability Important Microsoft Office Excel CVE-2026-40360 Microsoft Excel Information Disclosure Vulnerability Important Microsoft Office Excel CVE-2026-40362 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office Excel CVE-2026-40359 Microsoft Excel Remote Code Execution Vulnerability Important Microsoft Office PowerPoint CVE-2026-41102 Microsoft PowerPoint for Android Spoofing Vulnerability Important Microsoft Office SharePoint CVE-2026-40368 Microsoft SharePoint Server Remote Code Execution Vulnerability Important Microsoft Office SharePoint CVE-2026-35439 Microsoft SharePoint Server

Indicators of Compromise

• cve — CVE-2026-35421
• cve — CVE-2026-40365
• cve — CVE-2026-41096
• cve — CVE-2026-35433
• cve — CVE-2026-32177
• cve — CVE-2026-32175
• cve — CVE-2025-54518

Entities