May's Patch Tuesday is definitely quieter than April's release, but as usual, it still brings a significant volume of fixes. This month Microsoft patched 120 vulnerabilities, including 17 critical vulnerabilities, though notably, there were no publicly disclosed or actively exploited zero-day vulnerabilities in this cycle!
This blog breaks down the critical vulnerabilities that should be prioritised and highlights the areas defenders should focus on this month.
You can find Microsoft’s full May 2026 security update notes here.
Key Updates
- 120 vulnerabilities patched
- No publicly disclosed zero-day vulnerabilities
- 17 critical vulnerabilities
- 14 critical remote code execution vulnerabilities
What is a Zero-Day vulnerability?
A zero-day vulnerability is a security flaw that becomes known to attackers before defenders have had a fair chance to patch it. In practice, that means there are effectively zero days of warning once details are public or exploitation begins. Even where exploitation has not yet been confirmed, a publicly disclosed flaw usually raises the urgency because attackers now know exactly what to start testing against exposed systems.
Vulnerability Types Released in May 2026
This month continues the broader trend we’ve seen throughout 2026, with Elevation of Privilege vulnerabilities once again making up the largest portion of Microsoft’s release.
This is worth noting because these flaws are often used after initial access has already been granted, and in real-world attacks, they commonly help attackers move laterally, gain administrative control, or disable security protections after compromising a system.
Still, Remote Code Execution vulnerabilities remain the highest immediate risk from an exploitation perspective, particularly where network exposure or user interaction is involved.
Critical Vulnerability Summary
Here are some noteworthy critical CVEs from this month’s release:
| Product / Component | CVE | Title | Severity |
|---|---|---|---|
| Windows Netlogon | CVE-2026-41089 | Windows Netlogon Remote Code Execution Vulnerability | Critical |
| WindowsDNS Client | CVE-2026-41096 | Windows DNS Client Remote Code Execution Vulnerability | Critical |
| Microsoft Dynamics 365 | CVE-2026-42898 | Microsoft Dynamics 365 Remote Code Execution Vulnerability | Critical |
| Microsoft Office Word | CVE-2026-40361 |
Microsoft Office Word Remote Code Execution Vulnerability | Critical |
| Hyper-V | CVE-2026-40402 | Hyper-V Elevation of Privilege Vulnerability | Critical |
| Microsoft SharePoint Server | CVE-2026-40365 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Critical |
Areas That Need Attention
-
Prioritise Network-Exposed Systems
This month includes several high-severity vulnerabilities affecting services that commonly sit at the centre of enterprise infrastructure, including DNS, Netlogon, and SharePoint. Where systems are externally accessible or heavily relied upon internally, patching should be prioritised early within deployment cycles. -
Focus on Office and User-Facing Applications
Office-related remote code execution vulnerabilities continue to appear regularly in Patch Tuesday releases. Because these vulnerabilities often rely on phishing, malicious attachments, or user interaction, organisations should ensure endpoint protections, email filtering, and user awareness remain strong alongside patching efforts. -
Review Privilege Escalation Exposure
With 61 Elevation of Privilege vulnerabilities this month, it’s worth reviewing how difficult it would be for an attacker to move from standard user access to administrative control inside your environment.
To Conclude
May’s Patch Tuesday is a bit more manageable than some of the heavier releases we’ve seen recently, mainly because there are no publicly disclosed or actively exploited zero-days this month.
That said, there are still some important fixes worth prioritising, and the continued volume of elevation of privilege vulnerabilities is also something that’s hard to ignore across Microsoft’s 2026 releases so far. As always, the challenge is in understanding what actually matters within your environment first, and having clear visibility into exposed systems and relevant vulnerabilities makes those decisions much easier to prioritise.
We understand how tricky this can be, as assets sit across different environments and patching priorities can become unclear when volume increases. RoboShadow helps simplify this by continuously mapping your external attack surface, giving you a clearer view of what’s exposed, which vulnerabilities are relevant, and where patching should be focused first.
As always, thank you for your continuous support and feedback, and if you have any questions, please don’t hesitate to reach out to us at hello@roboshadow.com
