Microsoft Patch Tuesday: Zero-Day Vulnerabilities Absent in Latest Fixes
Microsoft’s May 2026 Patch Tuesday Update
The latest security patches address 137 Common Vulnerabilities and Exposures (CVEs), a decrease from April’s 169.
- No zero-days were included in this release, marking the first time since June 2024 that this occurred.
- Average of three zero-days per month over a 22-month period.
- Four remote code execution (RCE) vulnerabilities in Microsoft Word, with two rated as more likely to be exploited.
- Two of these vulnerabilities are considered more likely to be exploited, while the others are less or unlikely to be exploited, respectively.
Word RCE Vulnerabilities
The Word RCE vulnerabilities are tracked as CVE-2026-40361, CVE-2026-40364, CVE-2026-40366, and CVE-2026-40367.
Other Notable Flaws
A CVSS 9.9 RCE vulnerability exists in Microsoft Dynamics 365 on-premises, tracked as CVE-2026-42898.
A critical CVSS 9.1 privilege elevation flaw exists in the Microsoft SSO Plugin for Jira & Confluence, tracked as CVE-2026-41103.
A stack-based buffer overflow RCE in Windows Netlogon, tracked as CVE-2026-41089, has a CVSS score of 9.8.
A heap-based buffer overflow RCE in the Windows DNS Client, tracked as CVE-2026-41096, also has a CVSS score of 9.8.
Non-Microsoft Patches
Microsoft also re-released 128 non-Microsoft CVEs, 127 in Chrome, and one in AMD Zen 2-based processors.
SAP disclosed 15 new vulnerabilities for its May 2026 Patch Day, including two critical-severity CVEs affecting SAP S/4HANA and SAP Commerce Cloud.
Adobe fixed 32 vulnerabilities across 10 products, with the most severe being two critical flaws in Adobe Connect.
About Author
English