www.it-connect.fr
Microsoft Patch Tuesday May 2026: No Zero-Day, 120 Flaws Fixed
Microsoft's May 2026 Patch Tuesday fixes 120 security flaws. There isn't a single zero-day, which is rather good news. Here's what you need to know.
For once, this Patch Tuesday does not address a single zero-day security flaw. That said, the number of patched vulnerabilities is far from trivial: 120. Among them, 17 are critical vulnerabilities, which is also noteworthy. Here they are:
- Microsoft 365 Copilot : CVE-2026-26164
- Microsoft Dynamics 365 (on-premise) : CVE-2026-42898
- Microsoft Office : CVE-2026-42831, CVE-2026-40363, CVE-2026-40358
- Microsoft Word : CVE-2026-40361, CVE-2026-40367, CVE-2026-40366, CVE-2026-40364
- Microsoft SharePoint : CVE-2026-40365
- Microsoft SSO plugin for Jira and Confluence : CVE-2026-41103
- Windows DNS Service : CVE-2026-41096
- Windows GDI : CVE-2026-35421
- Hyper-V : CVE-2026-40402
- Windows - Native Wi-Fi Miniport Driver : CVE-2026-32161
- Windows Netlogon : CVE-2026-41089
- Windows Win32K - GRFX : CVE-2026-40403 (partly discovered with the help of Claude)
The list of critical flaws is rarely this long. In fact, some of them deserve special attention, especially because they open the door to remote code execution.
Be careful with the critical vulnerabilities
- CVE-2026-41096
This vulnerability affects the Windows DNS service and allows remote code execution over the network. It can be exploited by sending a malicious DNS response, which triggers memory corruption within the Windows DNS client. Its impact is significant: depending on the target system configuration, an attacker can use this vulnerability to execute code remotely (RCE), without any prior authentication.
It affects only certain Windows versions: Windows 11, Windows Server 2022, Windows Server 2025.
- CVE-2026-41089
This security flaw affects the Windows Netlogon service and also allows remote code execution. Microsoft explains that it can be exploited by sending a specially crafted network request to a domain controller. It takes advantage of a processing error within the Netlogon service.
Its impact: an attacker can use it to execute code remotely (RCE) on the compromised server, arbitrarily and without being authenticated.
This vulnerability affects only Windows Server 2012 through Windows Server 2025, especially domain controllers. Exploitable from a guest virtual machine, this Hyper-V flaw allows the host kernel to read an arbitrary memory address.
Although it generally results in a denial of service (Hyper-V host crash), another outcome is possible through exploitation of this flaw. By targeting certain hardware device registers, an attacker can escape the isolated environment (VM escape technique) and gain SYSTEM privileges on the host system.
This vulnerability affects only Windows Server 2022 and Windows 11 23H2.
- Multiple critical flaws in Word
As mentioned earlier, Microsoft Word is affected by four critical flaws. In each case, the preview pane is considered an exploitation vector for these vulnerabilities that allow remote code execution.
In many cases, these vulnerabilities are exploited through a malicious document. It is strongly recommended that you update the Office suite on your machines.
Find all the information on Microsoft’s official MSRC website. In addition, here are the articles about Windows updates:
- Windows 10 KB5087544 - May 2026 Update
- Windows 11 KB5089549: discover what’s new in the May 2026 update
