Microsoft Patch Tuesday May 2026: 120 Vulnerabilities Fixed

Overview: 120 CVEs, 17 Rated as Critical

With the May 2026 Patch Tuesday, Microsoft closed a total of 120 security vulnerabilities across its entire product portfolio on 12 May 2026. The vendor rates 17 of these vulnerabilities as “Critical”. In contrast to many previous months, current information indicates no zero-days are included — neither publicly known nor actively exploited vulnerabilities were reported at the time of release.

The focus is clearly on document-based attack vectors in Office and Word, as well as on network-exposed authentication and name resolution components in the Windows server stack. Seven critical CVEs affect Windows components, six the Office suite, and three SharePoint & Services.

Category	Total	Of which critical
Elevation of Privilege	61	2
Remote Code Execution	31	14
Information Disclosure	14	1
Spoofing	13	0
Denial of Service	8	0
Security Feature Bypass	6	0

Context: Patch Tuesday

Since 2003, Microsoft has published security-related updates on the second Tuesday of every month. The May 2026 release is one of the largest bundled releases of the year so far and affects Windows clients, Windows Server, Office, SharePoint, Dynamics 365, .NET, Hyper-V as well as cloud-adjacent services such as M365 Copilot.

Netlogon and DNS Client: Pre-Auth RCE in the Authentication Stack

From an operational standpoint, the most dangerous flaws of the month affect two network-exposed Windows server components that play a central role in Active Directory operations. Both enable Remote Code Execution without authentication — a classic wormable profile.

Abstract visualisation of a Domain Controller with surrounding server nodes and a compromised authentication path — Network-exposed authentication services are the primary attack target.

CVE	Component	Type	Vector
`CVE-2026-41089`	Windows Netlogon	RCE · Stack Buffer Overflow	Unauth., network
`CVE-2026-41096`	Windows DNS Client	RCE · Heap Buffer Overflow	Malicious DNS response
`CVE-2026-32161`	Native WiFi Miniport Driver	RCE	Local wireless network

According to a Qualys analysis, CVE-2026-41089 is based on a stack-based buffer overflow in Netlogon, which can be exploited via a specially crafted network request to a Domain Controller. CVE-2026-41096, on the other hand, is triggered via an attacker-controlled DNS server: a specially constructed DNS response sent to a requesting Windows client leads to code execution. This makes the DNS client flaw dangerous even in scenarios where Domain Controllers themselves are not directly reachable.

Acute Priority

CVE-2026-41089 affects authentication infrastructure — a successful exploit compromises not a single host, but potentially the entire domain. Domain Controllers must be patched with the highest priority. Bear in mind: Netlogon traffic is barely segmentable within Active Directory environments.

Office & Word: Seven Critical RCEs, One Preview-Pane Vector

Abstract visualisation of a document-based attack vector with flowing sheets of paper and a glowing vulnerability point — Document-based attacks remain one of the most common initial access vectors.

The May release contains seven critical RCE flaws in Office and Word. They are predominantly triggered by crafted documents — the classic way is by opening them, but in one case particularly critically via the Preview Pane in Windows Explorer or Outlook. This reduces the user interaction required for exploitation to merely selecting the file.

CVE	Product	Vulnerability Class
`CVE-2026-40364`	Word	Type Confusion · Preview-Pane Vector
`CVE-2026-40366`	Word	Use-after-free
`CVE-2026-40361`	Word	Use-after-free
`CVE-2026-40367`	Word	RCE
`CVE-2026-40358`	Office	Use-after-free
`CVE-2026-40363`	Office	Heap Buffer Overflow
`CVE-2026-42831`	Office	RCE

Preview Pane as a Silent Trigger

For CVE-2026-40364, according to Microsoft, a preview in the Explorer or Outlook Preview Pane is sufficient to exploit the vulnerability. The user does not need to actively open the file. This partly nullifies the common awareness argument “don't click on suspicious attachments” as soon as the attachment is visible in the inbox.

As an accompanying hardening option, how the Outlook Preview Pane is handled can be evaluated on an organisation-specific basis. Such configuration decisions should be made in coordination with the affected workflows and, where appropriate, as part of a pilot phase.

SharePoint Server & Dynamics 365: On-Premises Applications in Focus

On the on-premises side, Microsoft is addressing five SharePoint RCE vulnerabilities as well as a critical flaw in Dynamics 365 On-Premises. While the SharePoint flaws predominantly require authenticated vectors, the attack surface for internet-facing collaboration servers is typically considerably larger than for pure LAN deployments — for example through self-service accounts, federations or third-party access.

CVE	Component	Note
`CVE-2026-40365`	SharePoint Server 2019	RCE · Site owner privilege required
`CVE-2026-40368`	SharePoint Server	RCE
`CVE-2026-33112`	SharePoint Server	RCE
`CVE-2026-33110`	SharePoint Server	RCE
`CVE-2026-42898`	Dynamics 365 On-Premises	RCE · Critical
`CVE-2026-41103`	SSO plug-in for Jira/Confluence	EoP · CVSS 9.1

PowerShell · Check SharePoint patch level

# Read build versions of the SharePoint farm
Get-SPFarm | Select-Object BuildVersion

# Patch status of all servers in the farm
Get-SPProduct | Select-Object ProductName, Patchable, PatchableUnitDisplayNames

# Cumulative updates for SharePoint Server 2019
Get-WmiObject -Class Win32_QuickFixEngineering |
  Where-Object { $_.HotFixID -match 'KB' } |
  Sort-Object InstalledOn -Descending |
  Select-Object -First 10 HotFixID, Description, InstalledOn

Hardening Beyond the Patch

The SharePoint flaw CVE-2026-40365 requires site owner rights. In practice, these roles are often more generously distributed than originally intended in long-grown environments. A timely audit of privileged SharePoint roles and the use of a controlled privileged access path significantly reduces residual risk.

Recommended Patch Prioritisation

Since there is no zero-day pressure, this month's rollout can be planned in an orderly fashion. The decisive factor is the exposure of the respective component: authentication stack before internet-facing applications before endpoints before passive infrastructure.

Domain Controllers first

Prioritise the Netlogon patch (CVE-2026-41089) on all DCs, followed by functional tests against replication, Kerberos and trusts. Pre-auth RCE in the authentication stack has the highest priority.

Internet-exposed SharePoint

Schedule internet-facing SharePoint farms with high priority straight after the DCs. Verify WAF rules and logging precision before maintenance windows are approved.

Office clients across the board

Roll out Office and Word updates via Microsoft Update / Intune in regular maintenance waves. Evaluate accompanying hardening options for handling the Outlook Preview Pane on an organisation-specific basis.

Windows servers & clients

Schedule GDI, Graphics, DNS Client and Hyper-V. For Hyper-V hosts, plan a coordinated maintenance window due to live migration and cluster implications.

Rollout Procedure

1Reconcile the CVE list against existing inventory (asset management, CMDB, SCCM/Intune).
2Create risk-based prioritisation: Domain Controllers > internet-exposed services > standard workstations.
3Evaluate accompanying hardening measures on an organisation-specific basis and include them in the rollout planning.
4Test a pilot ring (5–10% of devices) for stability and functionality.
5Perform a wave-based production rollout with a defined rollback path.
6Verify patch level (build version, hotfix ID) and document in the CMDB.

PowerShell · Check patch level on Windows hosts

# Current KB patches from the last 30 days
Get-HotFix |
  Where-Object { $_.InstalledOn -gt (Get-Date).AddDays(-30) } |
  Sort-Object InstalledOn -Descending |
  Format-Table HotFixID, Description, InstalledOn -AutoSize

# Windows Update history via PSWindowsUpdate (module must be installed)
Get-WUHistory | Select-Object Date, Title, Result -First 15

# Quickly identify Domain Controllers
Get-ADDomainController -Filter * |
  Select-Object Name, OperatingSystem, OperatingSystemVersion

NIS2 Compliance Context

For organisations within the scope of NIS2, demonstrable vulnerability management is part of the minimum measures under Article 21. Structured patch SLAs, documented risk decisions and reproducible rollout processes are relevant to supervisors — not only in the event of an incident.

Conclusion: A Quiet Month Without Zero-Day — But No Reason to Relax

The May 2026 release is one of the more extensive Patch Tuesdays in quantitative terms, but qualitatively more relaxed than previous months due to the absence of actively exploited zero-days. This gives security teams room for an orderly, tested rollout — but does not mean the flaws are trivial. In particular, the Netlogon RCE and the Word Preview Pane vector are classic building blocks for future attack chains and are likely to be the subject of public exploit demos.

Our recommendation: prioritise domain-relevant servers, followed by internet-exposed services and Office clients, and take this release as an opportunity to structurally review your vulnerability management process — not just a single patch cycle.

Three Takeaways

1. No zero-days — but two pre-auth-reachable RCEs (Netlogon, DNS Client) deserve top priority.

2. The preview pane trigger in CVE-2026-40364 should be addressed configuratively as part of the patch rollout and evaluated on an organisation-specific basis.

3. 17 critical flaws at once is a stress test for any patch process — use it as a maturity indicator.