Microsoft Fixes 120 Flaws in May Patch Tuesday, 17 Critical

Microsoft released its May 2026 security updates on Tuesday, patching 120 vulnerabilities across Windows, Office, Azure, and Microsoft 365 apps. While none are actively exploited, 17 flaws carry Critical severity ratings—14 of which enable remote code execution.

The absence of zero-days is a welcome reprieve after a turbulent start to 2026. But admins shouldn't relax: several Word vulnerabilities exploit the Preview Pane, meaning users don't even need to open malicious documents to trigger code execution.

Critical Vulnerabilities to Prioritize

The most concerning flaws this month target domain controllers and DNS infrastructure—the backbone of enterprise networks.

CVE-2026-41089 (Windows Netlogon) is a stack-based buffer overflow that could let attackers run code on domain controllers without authentication. A crafted network request is all it takes. If you run Active Directory, this one jumps to the front of the queue. Microsoft has seen similar Netlogon vulnerabilities exploited rapidly once PoCs emerge.

CVE-2026-41096 (Windows DNS Client) allows remote code execution via malicious DNS responses. Any Windows system with a vulnerable DNS client becomes a target. Given that DNS traffic is ubiquitous and often trusted, this flaw could enable lateral movement across networks without triggering traditional security controls. The speed at which attackers weaponize critical flaws—as we saw with LiteLLM's SQL injection being exploited within 36 hours—means patching delays carry real risk.

Word Preview Pane Attacks Return

Four critical RCE vulnerabilities in Microsoft Word stand out—CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, and CVE-2026-40367. What makes these particularly dangerous: exploitation occurs through the Preview Pane.

Users don't need to double-click a malicious .docx file. Simply selecting it in Outlook or File Explorer while preview is enabled can trigger the exploit chain. Microsoft rates CVE-2026-40361 and CVE-2026-40364 as "more likely" to be exploited.

Organizations that haven't already disabled Preview Pane in high-risk environments should reconsider that policy while rolling out patches. For guidance on defending against document-based attacks, our malware defense guide covers the fundamentals.

Other Notable Patches

Beyond the headline grabbers, several other Critical flaws warrant attention:

• CVE-2026-40402 (Hyper-V): Elevation of privilege bug matters for anyone running multi-tenant virtualization or VDI. Guest-to-host escapes remain a nightmare scenario.
• CVE-2026-40365 (SharePoint Server): Authenticated RCE in SharePoint. "Authenticated" offers cold comfort when phishing remains this effective.
• CVE-2026-35421 (Windows GDI): Malicious Enhanced Metafile images can trigger code execution—another vector for weaponized documents.
• CVE-2026-41103 (Microsoft SSO Plugin): Elevation of privilege in the SSO plugin for Jira and Confluence affects organizations using Microsoft identity with Atlassian products.

What's Not Getting Patched

Notably absent from this release: fixes for several Office vulnerabilities that researchers disclosed earlier this year. Microsoft acknowledged the gaps but hasn't committed to a timeline. Organizations tracking critical software vulnerabilities should monitor for out-of-band updates.

Patch Now

The full breakdown by category:

Severity	Count	Primary Impact
Critical	17	14 RCE, 2 EoP, 1 Info Disclosure
Important	101	Mixed RCE, EoP, Spoofing
Moderate	2	Denial of Service

Microsoft's Security Update Guide contains the complete list. For enterprises managing patch cycles, domain controllers and email servers should take priority given the Netlogon and Word vulnerabilities. Systems exposed to untrusted DNS responses need the DNS client fix before threat actors start experimenting.

The CISA Known Exploited Vulnerabilities catalog hasn't added any May Patch Tuesday CVEs yet—a good sign that exploitation remains theoretical. But with 17 Critical flaws now documented, that window won't stay open long.