Redmond. Microsoft has released its May 2026 Patch Tuesday security update, fixing 120 vulnerabilities across Windows, Office, Azure services and several enterprise products. The update addresses 17 critical flaws and more than 30 remote code execution vulnerabilities, while Microsoft reported no disclosed zero-day exploits in this month’s release.
Critical Flaws Patched Across Office and Windows
According to Microsoft’s security bulletin, the May update resolves vulnerabilities involving remote code execution, elevation of privilege, information disclosure, denial of service, spoofing and security feature bypass issues.
Registration Begins for FutureCrime Summit 2026, India’s Largest Cybercrime Conference
A major share of the remote code execution flaws affects Microsoft Office applications, including Word, Excel and PowerPoint. Security researchers warned that some of these vulnerabilities could be triggered by opening malicious documents, and in certain cases through the preview pane, increasing the risk for enterprise users who regularly handle email attachments.
Among the notable issues fixed is a Windows GDI vulnerability, identified as CVE-2026-35421, which can be exploited through a malicious Enhanced Metafile opened in Microsoft Paint. Another serious flaw affects Windows DNS Client, identified as CVE-2026-41096, where a crafted DNS response from a malicious server could lead to memory corruption and remote code execution.
SharePoint, Azure and Developer Tools Also Updated
Microsoft also patched a critical SharePoint Server vulnerability, CVE-2026-40365, which could allow an authenticated attacker to remotely execute code over a network. Multiple vulnerabilities in the Windows TCP/IP stack, Netlogon service and Windows Kernel components were also fixed, including flaws linked to privilege escalation and denial-of-service risks.
Enterprise cloud services were part of the update cycle as well. Microsoft addressed security issues in Azure Machine Learning, Azure Monitor Agent, Azure Logic Apps and Azure Connected Machine Agent, underlining the growing security exposure of cloud-managed infrastructure.
GitHub Copilot and Visual Studio Code were also patched for security bypass and information disclosure flaws. The fixes reflect continuing concerns over the security of developer tools and software supply chains.
No Zero-Days Reported, But Patching Urged
Microsoft confirmed that no zero-day vulnerabilities were included in the May 2026 release. Cybersecurity experts, however, warned that the absence of zero-days does not reduce the need for urgent patching, as unpatched vulnerabilities can still be exploited.
The update includes fixes for Windows components such as Hyper-V, Print Spooler, SMB Client, Secure Boot and Remote Desktop Services. These components are frequently watched in enterprise environments because of their privileged system access and network exposure.
Several other technology vendors also released security updates in May 2026, including Adobe, Apple, Cisco, Fortinet, Mozilla, SAP and Google. Microsoft urged users and IT administrators to apply the latest updates promptly, especially in environments relying heavily on Office documents, SharePoint servers and remote access systems.
