Philip Odjidja
Vulnerability Engineer
Philip Odjidja Linked In
Microsoft
Microsoft addresses 200 CVEs in its May 2026 Patch Tuesday release, with no zero-days exploited in the wild or publicly disclosed for the first time since June 2024. Microsoft. Elevation of Privilege (EoP) vulnerabilities accounted for 48.3% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 24.6%.
Critical
This Patch Tuesday addresses 17 "Critical" vulnerabilities, 14 of which are remote code execution, 2 are elevation of privilege, and 1 is an information disclosure flaw.
CVE-2026-40361, CVE-2026-40364, CVE-2026-40366 and CVE-2026-40367 - Microsoft Word Remote Code Execution Vulnerabilities. These were assigned CVSSv3 scores of 8.4 and classified as critical. Microsoft assessed CVE-2026-40361 and CVE-2026-40364 as “Exploitation More Likely.” These vulnerabilities can be exploited through social engineering, such as by delivering a malicious file to a targeted user. If successfully exploited, the flaws could allow an attacker to execute arbitrary code on the victim’s system. Microsoft also identified the Preview Pane as a potential attack vector for all four vulnerabilities.
CVE-2026-41089 is a RCE vulnerability affecting Windows Netlogon, a Windows Server process used for authentication within a domain. It was assigned a CVSSv3 score of 9.8 and rated as critical. A remote, unauthenticated attacker could exploit this flaw by sending a crafted network request to a Windows server running as a domain controller. This packet could exploit a stack-based buffer overflow flaw, allowing the attacker to execute code on an affected system. Despite the critical severity and near perfect CVSSv3 score, this flaw was assessed by Microsoft as “Exploitation Less Likely.”
CVE-2026-41103 is a critical elevation of privilege vulnerability affecting the Microsoft Single Sign-On (SSO) Plugin for Jira and Confluence. The flaw received a CVSSv3 score of 9.1 and was rated “Exploitation More Likely” in Microsoft’s Exploitability Index. An unauthenticated attacker could exploit the vulnerability during the login process by sending a specially crafted response message. Successful exploitation would enable the attacker to authenticate using a forged identity without requiring Microsoft Entra ID verification, potentially allowing unauthorized access to or modification of data within Jira and Confluence. However, any access gained would still be constrained by the permissions assigned to the impersonated user account on the targeted servers.
CVE-2026-41096 is a remote code execution vulnerability affecting the Windows DNS Client component. The flaw is described as a heap-based buffer overflow that can be exploited remotely without authentication. Successful exploitation could allow an attacker to execute arbitrary code on a vulnerable system. The flaw received a CVSSv3 score of 8.5.
CVE-2026-35421 is a remote code execution vulnerability affecting Windows GDI. The flaw is caused by a heap-based buffer overflow and has been assigned a CVSSv3 score of 7.8, with a rating of Exploitation Unlikely. Successful exploitation could allow an unauthorized attacker to execute arbitrary code locally on a vulnerable system. Exploitation requires user interaction, such as opening a specially crafted file.
CVE-2026-40365 is a remote code execution vulnerability affecting Microsoft SharePoint Server. The flaw stems from insufficient granularity of access control and has been assigned a CVSSv3 score of 8.8. An authenticated attacker could exploit the vulnerability over the network to execute arbitrary code on a vulnerable SharePoint server
Important
CVE-2026-33841, CVE-2026-35420 and CVE-2026-40369 are EoP vulnerabilities affecting the Windows Kernel. Each of the flaws have been assigned CVSSv3 scores of 7.8 and rated as important. Both CVE-2026-33841 and CVE-2026-40369 were assessed as "Exploitation More Likely," which could be abused by a local attacker to elevate to SYSTEM or Medium/High integrity level in the case of CVE-2026-33841. Including these three EoPs, there have been 13 disclosed Windows Kernel EoP vulnerabilities addressed so far in 2026.
CVE‑2026‑35433, CVE‑2026‑32177 are .NET Elevation of Privilege (EoP) vulnerabilities. Both allow local attackers to escalate privileges and are rated Important. .NET is embedded in countless server and desktop applications, and unpatched runtimes silently expose systems to privilege‑escalation chains
CVE-2026-41107 is a high‑severity (CVSS 7.4) information‑disclosure vulnerability affecting Microsoft Edge (Chromium‑based). The flaw allows an unauthorized remote attacker to control file names or paths, potentially enabling disclosure of sensitive files over a network.
Recent update from Vendors
Adobe has released security updates for After Effects, Premiere Pro, Media Encoder, Commerce, Illustrator, Connect and more.
Cisco released multiple security updates/advisories this month, addressing multiple vulnerabilities across products including Unity Connection, IOS, IOS XE, Crosswork Network Controller, and Network Services Orchestrator.
SAP released 15 security updates, which include fixes for one high-severity and two Critical flaws.
Fortinet released security updates for two critical flaws in FortiSandbox and FortiAuthenticator.
Palo Alto Networks disclosed a critical vulnerability affecting the PAN-OS User-ID Authentication Portal that has been actively exploited as a zero-day in the wild. While security patches are not yet available, the company has provided mitigation measures to help reduce exposure until fixes are released.
Ivanti issued security updates addressing a high-severity remote code execution vulnerability in Endpoint Manager Mobile (EPMM), which had already been exploited in zero-day attacks prior to the release of patches.
Apple released multiple OS security updates for macOS, iOS, watchOS, iPadOS, visionOS, and tvOS.
Mozilla released security updates for five high severity Firefox vulnerabilities.
AMD released over 70 vulnerabilities (CVEs) in its May 2026 security advisories. This includes multiple advisories across CPU, GPU, firmware, and enterprise platforms, contributing to a broader chipmaker Patch Tuesday total of roughly 70 flaws addressed by AMD and Intel combined.