Microsoft Patch Tuesday — May 2026

Microsoft Patch Tuesday — May 2026

No Comments

By the Numbers

137 vulnerabilities patched. 17 rated Critical — 14 RCE, 2 EoP, 1 information disclosure. No zero-days exploited in the wild, no public disclosures ahead of release. Notably, EoP vulnerabilities dominated the month at 48.3% of all patches, followed by RCE at 24.6%.

Critical CVEs — Prioritize These

CVE-2026-41089 — Windows Netlogon (Stack Buffer Overflow, RCE)

A stack-based buffer overflow in Windows Netlogon that could lead to remote code execution, exploitable via a specially crafted network request to a domain controller — no authentication required. Experts advise patching all domain controllers in the same maintenance window, noting that half-patched forests are not a defensible state for a pre-auth DC bug. Restricting Netlogon traffic at the network layer is also recommended — DCs do not need to accept Netlogon from arbitrary segments.

CVE-2026-41096 — Windows DNS Client (Unauthenticated RCE)

Exploitable by sending a specially crafted DNS response to a Windows system. In certain configurations, this allows unauthenticated remote code execution. Since the DNS Client runs on virtually every Windows machine, the attack surface is enormous — an attacker with MitM position or rogue DNS server access could achieve unauthenticated RCE across an entire enterprise.

CVE-2026-40361 & CVE-2026-40364 — Microsoft Word (Preview Pane RCE)

Four critical RCE bugs in Microsoft Word, with two assessed as “Exploitation More Likely.” These can be triggered without opening a document — exploitation is possible simply by viewing a malicious file in the Preview Pane. Patching is the only reliable mitigation.

CVE-2026-32161 — Windows Native Wi-Fi Miniport Driver (UAF, Adjacent Network RCE)

A critical use-after-free / race condition in the Windows Native Wi-Fi Miniport Driver allowing an unauthorized attacker to execute code over an adjacent network.

CVE-2026-40402 — Windows Hyper-V (EoP)

A privilege escalation fix in Hyper-V particularly important for multi-tenant and private cloud environments, where a guest-to-host escape could have an outsized blast radius.

CVE-2026-41103 — Microsoft SSO Plugin for Jira & Confluence (CVSS 9.1, Critical)

Rated “Exploitation More Likely.” An unauthorized attacker could exploit this during login by sending a specially crafted response, enabling sign-in via a forged identity without Entra ID authentication — allowing access to or modification of data in Jira and Confluence environments.

CVE-2026-35421 — Windows GDI (Heap Buffer Overflow, RCE)

A critical heap-based buffer overflow in Windows GDI triggered by opening a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint.

Notable — High Priority

CVE-2026-33841 & CVE-2026-40369 — Windows Kernel EoP

Both assessed as “Exploitation More Likely.” Can be abused by a local attacker to elevate to SYSTEM or Medium/High integrity level. Including these, 13 Windows Kernel EoP vulnerabilities have now been disclosed in 2026.

AI & Cloud Attack Surface

Microsoft patches spoofing and security-feature bypass issues in M365 Copilot for Desktop and Android, GitHub Copilot with Visual Studio, and Azure Machine Learning notebooks — raising concerns about prompt-driven social engineering, data exfiltration, or malicious content injection via trusted AI interfaces.

Visual Studio Code Cluster

VSCode receives fixes covering EoP, information disclosure, RCE, and security feature bypass (CVE-2026-41613 through CVE-2026-41609 and CVE-2026-41109). .NET and ASP.NET Core patches address EoP, tampering, and DoS conditions.

Secure Boot Certificate Deadline — Critical Enterprise Action

The original Secure Boot certificates issued in 2011 and used by most Windows devices built between 2012 and 2025 expire on June 26, 2026. Every Windows device that has not received updated Secure Boot certificates before that date enters a degraded security state the following day.

May 2026 is the final comfortable deployment window before this deadline. Organizations should use this patch cycle to validate that all Windows devices have received the updated Secure Boot certificate chain. Compliance-driven organizations in healthcare, financial services, and government should retain evidence of patch deployment, exception handling, and remediation timelines.

Known Issue: Windows Server 2025 devices running an unrecommended BitLocker Group Policy configuration may boot into BitLocker Recovery after installing this update, requiring the recovery key on first restart. Enterprise admins should verify BitLocker policy configuration before pushing to production servers.

Patching Priority Order

  1. Immediate — Windows Netlogon (CVE-2026-41089) on all domain controllers
  2. Immediate — Microsoft Word / Office Preview Pane RCEs
  3. High — Windows DNS Client (CVE-2026-41096) across all Windows endpoints
  4. High — SSO Plugin for Jira & Confluence (CVE-2026-41103)
  5. High — Hyper-V EoP in multi-tenant environments
  6. Standard — VSCode, .NET, Azure-connected services, Windows Kernel EoP
  7. Checkpoint — Validate Secure Boot certificate deployment status fleet-wide
Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.