13/05/2026

Microsoft Patch Tuesday, May 2026 Security Update Review

May 2026’s Patch Tuesday arrives with Microsoft addressing a fresh set of vulnerabilities across its ecosystem, reinforcing the ongoing need for timely patching in an increasingly threat-heavy landscape. Here’s a quick breakdown of what you need to know.

This month’s release addresses 137 vulnerabilities, including 30 critical and 103 important-severity vulnerabilities.

In this month’s updates, Microsoft has not addressed any publicly disclosed zero-day vulnerability.

Microsoft has addressed 128 vulnerabilities in Microsoft Edge (Chromium-based) that were patched earlier this month.

Microsoft Patch Tuesday, May edition, includes updates for vulnerabilities in Windows Hyper-V, .NET, M365 Copilot, Windows GDI, Windows Internet Key Exchange (IKE) Protocol, Windows Kernel, Visual Studio Code, Windows Message Queuing, Azure Connected Machine Agent, Windows Common Log File System Driver, Windows Remote Desktop, and more.

This month’s release includes fixes for several high-severity issues that could potentially enable remote code execution, privilege escalation, or denial-of-service attacks. As always, timely patch deployment is crucial to reduce exposure and ensure systems remain resilient against exploitation attempts.

The May 2026 Microsoft vulnerabilities are classified as follows:

Vulnerability Category	Quantity	Severities
Spoofing Vulnerability	15	Critical: 4 Important: 11
Denial of Service Vulnerability	8	Critical: 8
Elevation of Privilege Vulnerability	61	Critical: 5 Important: 56
Information Disclosure Vulnerability	15	Critical: 5 Important: 10
Remote Code Execution Vulnerability	31	Critical: 16 Important: 15
Security Feature Bypass Vulnerability	6	Important: 6

Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition

CVE-2026-40364: Microsoft Word Remote Code Execution Vulnerability

A type confusion vulnerability in Microsoft Word may allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-41089: Windows Netlogon Remote Code Execution Vulnerability

A stack-based buffer overflow vulnerability in Windows Netlogon could allow an unauthenticated attacker to execute code over the network. An attacker may exploit the vulnerability by sending a specially crafted network request to a Windows server that is acting as a domain controller.

CVE-2026-40361 & CVE-2026-40366: Microsoft Word Remote Code Execution Vulnerability

A use-after-free vulnerability in Microsoft Word may allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-41103: Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability

Incorrect implementation of the authentication algorithm in the Microsoft SSO Plugin for Jira & Confluence may allow an unauthenticated attacker to elevate their privileges across the network. An attacker could exploit this vulnerability by sending a specially crafted SSO response during the login process that tricks the system into accepting a forged identity. This could allow the attacker to sign in without authenticating the user through Microsoft Entra ID.

CVE-2026-35421: Windows GDI Remote Code Execution Vulnerability

A heap-based buffer overflow vulnerability in Windows GDI could allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-40363 & CVE-2026-42831: Microsoft Office Remote Code Execution Vulnerability

A heap-based buffer overflow vulnerability in Microsoft Office may allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-41096: Windows DNS Client Remote Code Execution Vulnerability

A heap-based buffer overflow vulnerability in Microsoft Windows DNS may allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-32161: Windows Native WiFi Miniport Driver Remote Code Execution Vulnerability

A race condition in the Windows Native WiFi Miniport Driver could allow an unauthenticated attacker to execute code over an adjacent network.

CVE-2026-40358: Microsoft Office Remote Code Execution Vulnerability

A use-after-free vulnerability in Microsoft Office could allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-40365: Microsoft SharePoint Server Remote Code Execution Vulnerability

An insufficient access-control granularity flaw in Microsoft Office SharePoint Server allows an authenticated attacker to execute arbitrary code remotely.

CVE-2026-40367: Microsoft Word Remote Code Execution Vulnerability

A pointer dereference vulnerability in Microsoft Word allows an unauthenticated attacker to execute code locally.

CVE-2026-40402: Windows Hyper-V Elevation of Privilege Vulnerability

A use-after-free vulnerability in Windows Hyper-V may allow an unauthenticated attacker to elevate local privileges. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

CVE-2026-40403: Windows Graphics Component Remote Code Execution Vulnerability

A heap-based buffer overflow vulnerability in Windows Win32K – GRFX may allow an authenticated attacker to execute code locally.

CVE-2026-42898: Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

A code-injection vulnerability in Microsoft Dynamics 365 (on-premises) may allow an authenticated attacker to execute code over the network.

CVE-2026-33821: Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability

An improper privilege management flaw in Microsoft Dynamics 365 Customer Insights could allow an authenticated attacker to elevate their privileges across a network.

CVE-2026-42826: Azure DevOps Information Disclosure Vulnerability

Exposing sensitive information to an unauthenticated actor in Azure DevOps may allow an attacker to disclose it over a network.

CVE-2026-35428: Azure Cloud Shell Spoofing Vulnerability

A command injection vulnerability in Azure Cloud Shell could allow an unauthenticated attacker to perform network spoofing.

CVE-2026-35435: Azure AI Foundry Elevation of Privilege Vulnerability

An improper access-control flaw in Azure AI Foundry M365 published agents could allow an unauthenticated attacker to elevate their privileges across the network.

CVE-2026-34327: Microsoft Partner Center Spoofing Vulnerability

An externally controlled reference to a resource in another sphere in Microsoft Partner Center could allow an unauthenticated attacker to perform network spoofing.

CVE-2026-33844: Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

An improper input validation flaw in Azure Managed Instance for Apache Cassandra may allow an authenticated attacker to execute code remotely.

CVE-2026-33823: Microsoft Team Events Portal Information Disclosure Vulnerability

An improper authentication flaw in Microsoft Teams may allow an authenticated attacker to disclose information over a network.

CVE-2026-32207: Azure Machine Learning Notebook Spoofing Vulnerability

A cross-site scripting vulnerability in Azure Machine Learning could allow an unauthenticated attacker to perform network spoofing.

CVE-2026-40379: Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability

Exposing sensitive information to an unauthenticated actor in Azure Entra ID could allow an unauthenticated attacker to perform network spoofing.

CVE-2026-33109: Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

An improper access control in Azure Managed Instance for Apache Cassandra may allow an authenticated attacker to execute code over a network.

CVE-2026-33111: Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability

A command injection vulnerability in Copilot Chat (Microsoft Edge) may allow an unauthenticated attacker to disclose information over a network.

CVE-2026-41105: Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability

A server-side request forgery vulnerability in Azure Notification Service may allow an authenticated attacker to elevate their privileges across the network.

CVE-2026-26129 & CVE-2026-26164: M365 Copilot Information Disclosure Vulnerability

An improper neutralization of special elements in M365 Copilot may allow an unauthenticated attacker to disclose information over a network.

Other Microsoft Vulnerability Highlights

CVE-2026-33840 is an elevation of privilege vulnerability in Win32k. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2026-33841 is an elevation of privilege vulnerability in the Windows Kernel. The heap-based buffer overflow vulnerability may allow an authenticated attacker to elevate local privileges.
CVE-2026-35416 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-35417 is an elevation of privilege vulnerability in the Windows Win32k. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2026-33837 is an elevation of privilege vulnerability in Windows TCP/IP. The heap-based buffer overflow vulnerability may allow an authenticated attacker to elevate privileges locally.
CVE-2026-33835 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2026-40369 is an elevation of privilege vulnerability in the Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-40397 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2026-40398 is an elevation of privilege vulnerability in the Windows Remote Desktop Services. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Microsoft Release Summary

This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows Rich Text Edit, Windows Native WiFi Miniport Driver, Windows Rich Text Edit Control, Microsoft Teams, Azure Monitor Agent, Azure Machine Learning, Windows Filtering Platform (WFP), Azure Managed Instance for Apache Cassandra, Microsoft Office SharePoint, Copilot Chat (Microsoft Edge), Azure SDK, Microsoft Dynamics 365 Customer Insights, Windows Event Logging Service, Windows Cloud Files Mini Filter Driver, Windows TCP/IP, Windows Win32K – GRFX, Windows Win32K – ICOMP, Microsoft Partner Center, Windows Kernel-Mode Drivers, Windows DWM Core Library, Windows Telephony Service, Windows LDAP – Lightweight Directory Access Protocol, Windows Projected File System, Windows Link-Layer Discovery Protocol (LLDP), Windows Print Spooler Components, Windows Application Identity (AppID) Subsystem, Windows Ancillary Function Driver for WinSock, Windows Storport Miniport Driver, Windows Storage Spaces Controller, Telnet Client, Azure Cloud Shell, Microsoft Edge for Android, Azure AI Foundry M365 published agents, Microsoft Office Click-To-Run, Windows Admin Center, Microsoft Office Word, Microsoft Office, Microsoft Office Excel, SQL Server, Power Automate, Windows Cryptographic Services, Azure Entra ID, Windows Volume Manager Extension Driver, Windows SMB Client, Microsoft Edge (Chromium-based), Dynamics Business Central, Windows Netlogon, Microsoft Data Formulator, Data Deduplication, Microsoft Windows DNS, Windows Secure Boot, Microsoft Office PowerPoint, Microsoft SSO Plugin for Jira & Confluence, Azure Notification Service, GitHub Copilot and Visual Studio, M365 Copilot for Desktop, Azure Logic Apps, Azure DevOps, Microsoft Dynamics 365 (on-premises), ASP.NET Core, and AMD CPU Branch.

Discover and Prioritize Vulnerabilities in Vulnerability Management, Detection & Response (VMDR)

Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledgebase (KB).

You can see all your impacted hosts by these vulnerabilities using the following QQL query:

vulnerabilities.vulnerability: ( qid: 110525 or qid: 110526 or qid: 387304 or qid: 387305 or qid: 5012492 or qid: 92384 or qid: 92385 or qid: 92386 or qid: 92387 or qid: 92388 or qid: 92390 or qid: 92392 or qid: 92393 or qid: 92394 or qid: 92396 )

Rapid Response with TruRisk Eliminate

Patch to the Latest Version

VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches with one click.

The following QQL will return the missing patches for this Patch Tuesday:

( qid: 110525 or qid: 110526 or qid: 387304 or qid: 387305 or qid: 5012492 or qid: 92384 or qid: 92385 or qid: 92386 or qid: 92387 or qid: 92388 or qid: 92390 or qid: 92392 or qid: 92393 or qid: 92394 or qid: 92396 )

Mitigation: Reducing Risk Until Remediation

Not every team can patch immediately due to operational challenges. TruRisk Eliminate enables security teams to apply mitigation controls that immediately lower exposure and reduce the Qualys Detection Score (QDS).

As a first set of our mitigant signature set, we have Qualys-created mitigations for the following 36 vulnerabilities: CVE-2026-21249, CVE-2026-21525, CVE-2026-21533, CVE-2026-21510, CVE-2026-21508, CVE-2026-21237, CVE-2026-21234, CVE-2026-20846, CVE-2026-21232, CVE-2026-21240, CVE-2026-21250, CVE-2026-21222, CVE-2026-21239, CVE-2026-21245, CVE-2026-21254, CVE-2026-21231, CVE-2026-21243, CVE-2026-21513, CVE-2026-21253, CVE-2026-21537, CVE-2026-21527, CVE-2026-21246, CVE-2026-21235, CVE-2026-21261, CVE-2026-21259, CVE-2026-21258, CVE-2026-21511, CVE-2026-21514, CVE-2026-21260, CVE-2026-21229, CVE-2026-21244, CVE-2026-21255, CVE-2026-21247, CVE-2026-21248CVE-2026-40374, CVE-2026-32161, CVE-2026-34337, CVE-2026-33835, CVE-2026-35418, CVE-2026-40402, CVE-2026-34329, CVE-2026-33838, CVE-2026-34342, CVE-2026-34340, CVE-2026-41095, CVE-2026-40382, CVE-2026-34338, CVE-2026-40363, CVE-2026-40419, CVE-2026-40358, CVE-2026-42831, CVE-2026-40420, CVE-2026-35436, CVE-2026-40418, CVE-2026-40359, CVE-2026-40360, CVE-2026-40362, CVE-2026-42832, CVE-2026-33110, CVE-2026-33112, CVE-2026-40368, CVE-2026-40357, CVE-2026-35439, CVE-2026-40365, CVE-2026-40366, CVE-2026-35440, CVE-2026-40421, CVE-2026-40361, CVE-2026-40367, CVE-2026-40364.

For vulnerabilities in Windows services with local or remote exploitation vectors, our mitigants modify configuration by changing registry keys and, where applicable, service policy files. These mitigations work for affected components such as the Remote Access Connection Manager, Remote Desktop Services, Shell, Storage, Subsystem for Linux, Power Automate Desktop, Internet Explorer, Microsoft SharePoint, Microsoft Exchange Server, Graphics Component, Office Excel, Outlook, Word, Power BI, and Hyper-V. Additionally, this mitigant set addresses denial-of-service, elevation-of-privilege, remote code execution, and information disclosure risks in these core Windows subsystems.

Qualys TruRisk Mitigate product customers receive these scripts as part of the monthly Patch Tuesday signature set.

Visit the May 2026 Security Updates to access the full description of each vulnerability and the systems it affects.

Qualys customers can scan their network with QIDs 110525, 110526, 387304, 387305, 5012492, 92384, 92385, 92386, 92387, 92388, 92390, 92392, 92393, 92394, and 92396 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.