Microsoft Fixes 120 Vulnerabilities in May 2026 Update

On May 12, Microsoft issued patches for 120 vulnerabilities, notably without revealing any zero-day exploits. However, enterprise defenders must still address a wide spectrum of risks, including those impacting document handling, identity infrastructure, collaboration platforms, virtualization environments, and standard Windows networking.

Key Takeaways from May's Security Update

The May 2026 Patch Tuesday update resolved 17 critical vulnerabilities, 14 of which were remote code execution (RCE) issues. Organizations must act promptly to evaluate and deploy these updates across their systems. Patch managers face a significant challenge: determining which business systems can adopt first-wave updates without causing outages elsewhere.

Challenges in Enterprise Patching

Enterprise patching teams face a multifaceted "patch-order problem," as this month’s updates cover various systems such as:

• Office endpoints
• Domain controllers
• DNS-dependent Windows systems
• SharePoint deployments
• Hyper-V hosts

Each of these systems is typically managed by different teams, with unique patching schedules, rollback protocols, and maintenance windows. Even when a single Microsoft release addresses all these areas, coordinating updates remains a significant operational challenge.

Comparison with Recent Patch Cycles

In prior months:

• February addressed six active zero-days.
• April resolved 167 vulnerabilities, including two zero-days.

While May 2026 lacks zero-day disclosures, it does not ease the workload for defenders. Each recent update has required balancing trade-offs between rapid deployment, outage risks, and validation time for critical systems, adding to the cumulative prioritization burden.

Breakdown of Vulnerabilities in May 2026

Microsoft’s May release included the following:

• 31 remote code execution vulnerabilities
• 61 elevation-of-privilege (EoP) issues
• 14 information disclosure flaws
• 8 denial-of-service (DoS) vulnerabilities
• 6 security feature bypass issues
• 13 spoofing vulnerabilities

Among these, RCE vulnerabilities remain a priority as they allow attackers to execute arbitrary code, while EoP issues increase operational complexity by impacting permissions, administrative boundaries, and user-to-system transitions. Security teams must validate and address these vulnerabilities before proceeding from pilot testing to broader deployment.

No Zero-Days in May: A Rare Event

May 2026 marks the first Microsoft monthly security update in nearly two years without any exploited or publicly disclosed zero-day vulnerabilities. Over the past 22 months, Microsoft has averaged 3.5 zero-days per month, making this month quieter but not necessarily less demanding in terms of remediation efforts.

Office Vulnerabilities: A Continuing Concern

Despite the absence of zero-days, Office-related vulnerabilities remain a key focus. Microsoft addressed issues in Office, Word, and Excel that could lead to RCE, with some linked to risks from the Preview Pane. Since employees frequently preview documents like invoices, resumes, and shared files, these vulnerabilities require a broader patching effort beyond individual application updates.

Additionally, May’s update includes CVE-2026-35421, a vulnerability in Paint where opening a malicious Enhanced Metafile could enable code execution. Endpoint teams must also prioritize fixes such as CVE-2026-40367, CVE-2026-40366, and CVE-2026-40364, which affect laptops, shared workstations, and virtual desktops.

Infrastructure-Level Risks

Several vulnerabilities in May’s update pose critical risks to enterprise infrastructure:

• CVE-2026-41096: A Windows DNS Client heap-based buffer overflow vulnerability with a CVSS score of 9.8. This RCE flaw can be exploited remotely without authentication or user interaction, impacting a wide range of Windows systems.
• CVE-2026-41089: A critical issue in Windows Netlogon with a CVSS score of 9.8, enabling unauthenticated attackers to execute code remotely on domain controllers. Given the potential for authentication failures, patching domain controllers requires extra caution to avoid disrupting access to business-critical services.

SharePoint and Hyper-V Risks

SharePoint vulnerabilities remain a concern for enterprise security teams. CVE-2026-40365 exposes SharePoint servers to RCE attacks, albeit requiring Site Owner privileges. While this narrows the attacker pool, defenders must assess privileged-user exposure, external publishing, and collaboration sprawl to mitigate risks.

In virtualized environments, CVE-2026-40402 in Hyper-V introduces a severe risk, enabling attackers to escape from a guest VM to the host environment and gain SYSTEM privileges. This kind of boundary failure affects multiple workloads simultaneously, necessitating immediate attention from virtualization teams.

Operational Impacts of May 2026 Update

May’s update pushes teams managing Office endpoints, DNS-related Windows systems, domain controllers, SharePoint servers, and Hyper-V hosts toward a unified maintenance window. Despite the absence of zero-days, the scope and complexity of this month’s vulnerabilities make it operationally demanding for enterprises to address.