Microsoft’s May 2026 Patch Tuesday patched 138 vulnerabilities in a single release. That is a number that gives pause even for people accustomed to these cycles.
The affected products span virtually the entire Microsoft portfolio: Windows and its components, Office, Edge, Azure, .NET, Visual Studio, SQL Server, the various Copilot products, and, a detail that will raise an eyebrow or two, the Telnet client. Curiously, in 2026, the Telnet client still needs a security patch.
30 of these bugs are rated Critical. The rest range from Important down to Moderate and Low. None of them, at the time of release, were listed as publicly known or already being exploited in the wild. That is worth something, even if it is not a reason to relax.
It is also worth noting that this wave of fixes lands just days before Pwn2Own Berlin, the international competition where security researchers race to find and exploit vulnerabilities in widely used systems. Vendors routinely accelerate their release cycles ahead of the event to shrink the exposed surface. The unusually high volume of submissions this month likely also reflects the growing role of AI in vulnerability research, even if only in drafting the reports.
Here are the bugs that deserve immediate attention, followed by a broader list of the most significant flaws this month.
A critical flaw in the Windows DNS Client could let attackers remotely execute code by sending malicious DNS responses, without authentication or user interaction. Because the DNS client runs on nearly all Windows systems, attackers using rogue DNS servers or man-in-the-middle attacks could silently compromise large enterprise networks.
A critical Windows Netlogon flaw could let unauthenticated attackers remotely execute code on domain controllers using crafted network requests. The bug requires no credentials or user interaction and carries a CVSS score of 9.8. Because it is potentially wormable, a successful attack could compromise an entire Windows domain, making it one of the most urgent patches in the latest security updates.
A critical code injection flaw in Microsoft Dynamics 365 On-Premises received a rare CVSS score of 9.9. The vulnerability includes a scope change, meaning attackers could impact resources beyond the targeted component after successful exploitation. Because such flaws are uncommon and potentially severe, organizations running on-premises Dynamics 365 should prioritize patching immediately.
A use-after-free flaw in the Windows TCP/IP stack could theoretically allow unauthenticated remote code execution without user interaction, making it another potentially wormable issue. However, exploitation would require sustained memory pressure on the target system, which makes real-world attacks less likely. Microsoft also patched two Word vulnerabilities that can trigger simply through the Preview Pane, without users opening a malicious document. Security researchers say patching remains the most effective defense against these threats.
Below are the most Notable CVEs fixed with Microsoft Patch Tuesday for May 2026:
Among Microsoft’s 138 patches this month, the most urgent fixes are for Netlogon, the Windows DNS Client, Dynamics 365, and Microsoft Word vulnerabilities. Security experts recommend prioritizing these flaws due to their high impact and low user interaction requirements, while applying the remaining updates as quickly as possible through normal patch cycles.
The full list of CVEs addressed by Microsoft Patch Tuesday for May 2026 is available here.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Patch Tuesday)
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。