





















Microsoft has addressed 130 vulnerabilities in its May 2026 security update release, fewer than April’s 164 vulnerabilities. This month's patches include fixes for 30 Critical vulnerabilities, along with 100 additional vulnerabilities of varying severity levels.
This month's leading risk types by exploitation technique are elevation of privilege with 61 patches (47%), remote code execution (RCE) with 31 patches (24%), and information disclosure with 15 (11%).
Microsoft Windows received the most patches this month with 66, followed by Office with 24 and Azure with 16.
CVE-2026-42826 is a Critical information disclosure vulnerability affecting Azure DevOps and has a CVSS score of 10. This vulnerability allows unauthenticated remote attackers to disclose sensitive information over a network through an exposure of sensitive information flaw (CWE-200). Microsoft has proactively remediated this vulnerability within the cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 10 | CVE-2026-42826 | Microsoft Azure DevOps Information Disclosure Vulnerability | No |
CVE-2026-33109 and CVE-2026-33844 are Critical RCE vulnerabilities affecting Azure Managed Instance for Apache Cassandra, with CVSS scores of 9.9 and 9.0, respectively. Azure Managed Instance for Apache Cassandra is a fully managed cloud service for deploying and scaling Apache Cassandra clusters; RCE vulnerabilities in this service could allow attackers to compromise sensitive data workloads and underlying infrastructure.
An improper access control flaw (CVE-2026-33109) allows low-privileged remote attackers to execute arbitrary code with no user interaction required. An improper input validation flaw (CVE-2026-33844) similarly allows low-privileged remote attackers to execute code, though user interaction is required. Microsoft has proactively remediated these vulnerabilities within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.9 | CVE-2026-33109 | Azure Managed Instance for Apache Cassandra RCE Vulnerability | No |
| Critical | 9.0 | CVE-2026-33844 | Azure Managed Instance for Apache Cassandra RCE Vulnerability | No |
CVE-2026-42898 is a Critical RCE vulnerability affecting Microsoft Dynamics 365 (on-premises) and has a CVSS score of 9.9. A code injection flaw (CWE-94) allows any authenticated remote attacker to execute code over a network with no user interaction required. An attacker could exploit this by modifying the saved state of a process session in Dynamics CRM and triggering the system to process that data, causing the server to unintentionally execute malicious code. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.9 | CVE-2026-42898 | Microsoft Dynamics 365 On-Premises RCE Vulnerability | Yes |
CVE-2026-41089 is a Critical RCE vulnerability affecting Windows Netlogon and has a CVSS score of 9.8. A stack-based buffer overflow flaw (CWE-121) allows unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could send a specially crafted network request to a Windows server running as a domain controller, causing the Netlogon service to improperly handle the request and execute malicious code without requiring any prior access or credentials. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.8 | CVE-2026-41089 | Windows Netlogon RCE Vulnerability | Yes |
CVE-2026-41096 is a Critical RCE vulnerability affecting the Windows DNS Client and has a CVSS score of 9.8. A heap-based buffer overflow flaw (CWE-122) allows unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could send a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory, potentially enabling RCE without authentication.
While the Windows DNS Client is present on virtually all Windows workstations and servers, practical exploitation requires an attacker to be in a position to intercept or respond to a system's DNS requests, such as through DNS spoofing, a rogue DNS server, or a machine-in-the-middle position on the network, which represents a meaningful prerequisite to exploitation. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.8 | CVE-2026-41096 | Windows DNS Client RCE Vulnerability | Yes |
CVE-2026-33823 is a Critical information disclosure vulnerability affecting the Microsoft Teams Events Portal and has a CVSS score of 9.6. An improper authorization flaw (CWE-285) allows low-privileged remote attackers to disclose sensitive information over a network with no user interaction and low attack complexity. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.6 | CVE-2026-33823 | Microsoft Teams Events Portal Information Disclosure Vulnerability | No |
CVE-2026-35428 is a Critical spoofing vulnerability affecting Azure Cloud Shell and has a CVSS score of 9.6. A command injection flaw (CWE-77) allows unauthenticated remote attackers to perform spoofing over a network. The vulnerability requires user interaction and has a changed scope with high confidentiality, integrity, and availability impact. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.6 | CVE-2026-35428 | Azure Cloud Shell Spoofing Vulnerability | No |
CVE-2026-40379 is a Critical spoofing vulnerability affecting Microsoft Enterprise Security Token Service (ESTS) and has a CVSS score of 9.3. An exposure of sensitive information flaw (CWE-200) in Azure Entra ID allows unauthenticated remote attackers to perform spoofing over a network. ESTS is the underlying token issuance infrastructure for Microsoft Entra ID (formerly Azure AD), responsible for authenticating users and issuing security tokens across Microsoft cloud services. A spoofing vulnerability here could allow attackers to impersonate users or services across any platform relying on Entra ID authentication.
The vulnerability requires user interaction and has a changed scope with high confidentiality and integrity impact. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.3 | CVE-2026-40379 | Microsoft ESTS Spoofing Vulnerability | No |
CVE-2026-40402 is a Critical elevation of privilege vulnerability affecting Windows Hyper-V and has a CVSS score of 9.3. A use-after-free flaw (CWE-416) allows a low-privileged guest VM to elevate privileges and gain access to the Hyper-V host environment. A guest VM could exploit this by forcing the Hyper-V host's kernel to read from an arbitrary address, potentially allowing the attacker to traverse the guest's security boundary. In most circumstances, this would result in a denial of service of the host; however, exploitation could also trigger hardware device-specific side effects that may further compromise host security. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.3 | CVE-2026-40402 | Windows Hyper-V Elevation of Privilege Vulnerability | Yes |
CVE-2026-41103 is a Critical elevation of privilege vulnerability affecting the Microsoft SSO Plugin for Jira and Confluence and has a CVSS score of 9.1. An incorrect implementation of an authentication algorithm (CWE-303) allows unauthenticated remote attackers to elevate privileges with no user interaction and low attack complexity. The Microsoft SSO Plugin enables organizations to use Microsoft Entra ID as an identity provider for Atlassian Jira and Confluence; an authentication bypass in this plugin could allow attackers to impersonate users across these platforms.
An attacker could send a specially crafted single sign-on (SSO) response during the login process to forge an identity, bypassing Microsoft Entra ID authentication entirely and gaining unauthorized access to Jira or Confluence with the permissions of the compromised account. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 9.1 | CVE-2026-41103 | Microsoft SSO Plugin for Jira and Confluence Elevation of Privilege Vulnerability | Yes |
CVE-2026-32207 is a Critical spoofing vulnerability affecting Azure Machine Learning Notebook and has a CVSS score of 8.8. A cross-site scripting flaw (CWE-79) allows unauthenticated remote attackers to perform spoofing over a network. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.8 | CVE-2026-32207 | Azure Machine Learning Notebook Spoofing Vulnerability | No |
CVE-2026-35421 is a Critical RCE vulnerability affecting Windows Graphics Device Interface (GDI) and has a CVSS score of 7.8. GDI is a core Windows component responsible for rendering graphics and formatted text to display and print devices; it natively processes Enhanced Metafile (EMF) files, a Windows graphics format used to store vector and bitmap image data. A heap-based buffer overflow flaw (CWE-122) allows unauthenticated attackers to execute code locally on a target system. Exploitation requires a user to open a specially crafted EMF file in Microsoft Paint. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 7.8 | CVE-2026-35421 | Windows GDI RCE Vulnerability | Yes |
CVE-2026-32161 is a Critical RCE vulnerability affecting the Windows Native WiFi Miniport Driver and has a CVSS score of 7.5. The Windows Native WiFi Miniport Driver is the kernel-level driver responsible for managing wireless network connections on Windows systems. A race condition flaw (CWE-362) allows unauthenticated attackers on an adjacent network to execute code with no user interaction. The attack is limited to systems on the same network segment as the attacker and cannot be performed across multiple networks. Exploitation requires specific network configurations and timing conditions, making it unreliable across all environments and contributing to the high attack complexity rating. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 7.5 | CVE-2026-32161 | Windows Native WiFi Miniport Driver RCE Vulnerability | Yes |
CVE-2026-40403 is a Critical RCE vulnerability affecting the Windows Graphics Component and has a CVSS score of 8.8. A heap-based buffer overflow flaw (CWE-122) in Windows Win32K - GRFX could allow an authorized attacker to execute arbitrary code locally. Any authenticated attacker could trigger this vulnerability without requiring admin or elevated privileges. An attacker could exploit this vulnerability by gaining access to a local guest VM in order to attack the host OS. Successful exploitation could also lead to a contained execution environment escape. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.8 | CVE-2026-40403 | Windows Graphics Component RCE Vulnerability | Yes |
CVE-2026-40365 is a Critical RCE vulnerability affecting Microsoft SharePoint Server and has a CVSS score of 8.8. An insufficient granularity of access control flaw (CWE-1220) in Microsoft SharePoint could allow an authorized attacker to execute arbitrary code over a network. In a network-based attack, an authenticated attacker with at least Site Owner permissions could inject and execute arbitrary code remotely on the SharePoint Server. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.8 | CVE-2026-40365 | Microsoft SharePoint Server RCE Vulnerability | Yes |
CVE-2026-35435 is a Critical elevation of privilege vulnerability affecting Azure AI Foundry and has a CVSS score of 8.6. An improper access control flaw (CWE-284) in Azure AI Foundry M365 published agents could allow an unauthorized remote attacker to elevate their privileges over a network. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.6 | CVE-2026-35435 | Azure AI Foundry Elevation of Privilege Vulnerability | No |
CVE-2026-40367, CVE-2026-40364, CVE-2026-40366, and CVE-2026-40361 are Critical RCE vulnerabilities in Microsoft Word, all with a CVSS score of 8.4. These vulnerabilities allow unauthorized attackers to execute arbitrary code locally through an untrusted pointer dereference flaw (CVE-2026-40367), a type confusion flaw (CVE-2026-40364), and use-after-free flaws (CVE-2026-40366, CVE-2026-40361). The Preview Pane is an attack vector for all four vulnerabilities. Official fixes are available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.4 | CVE-2026-40367 | Microsoft Word RCE Vulnerability | Yes |
| Critical | 8.4 | CVE-2026-40366 | Microsoft Word RCE Vulnerability | Yes |
| Critical | 8.4 | CVE-2026-40364 | Microsoft Word RCE Vulnerability | Yes |
| Critical | 8.4 | CVE-2026-40361 | Microsoft Word RCE Vulnerability | Yes |
CVE-2026-34327 is a Critical spoofing vulnerability affecting Microsoft Partner Center and has a CVSS score of 8.2. An externally controlled reference to a resource in another sphere flaw (CWE-610) could allow an unauthorized remote attacker to perform spoofing over a network. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.2 | CVE-2026-34327 | Microsoft Partner Center Spoofing Vulnerability | No |
CVE-2026-41105 is a Critical elevation of privilege vulnerability affecting the Azure Monitor Action Group notification system and has a CVSS score of 8.1. A server-side request forgery (SSRF) flaw (CWE-918) in the Azure Notification Service could allow an authorized remote attacker to elevate their privileges over a network. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.1 | CVE-2026-41105 | Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability | No |
CVE-2026-40358 and CVE-2026-40363 are Critical remote code execution vulnerabilities in Microsoft Office, both with a CVSS score of 8.4. These vulnerabilities allow unauthorized attackers to execute arbitrary code locally through a use-after-free flaw (CVE-2026-40358) and a heap-based buffer overflow flaw (CVE-2026-40363). The Preview Pane is an attack vector for both vulnerabilities. Official fixes are available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 8.4 | CVE-2026-40358 | Microsoft Office RCE Vulnerability | Yes |
| Critical | 8.4 | CVE-2026-40363 | Microsoft Office RCE Vulnerability | Yes |
CVE-2026-42831 is a Critical remote code execution vulnerability in Microsoft Office LTSC for Mac 2021 and has a CVSS score of 7.8. A heap-based buffer overflow flaw (CWE-122) could allow an unauthorized attacker to execute arbitrary code locally. The Preview Pane is not an attack vector; exploitation requires an attacker to convince a user to open a specially crafted malicious Office file. An official fix is available for customers to deploy.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 7.8 | CVE-2026-42831 | Microsoft Office LTSC for Mac 2021 RCE Vulnerability | Yes |
CVE-2026-33821 is a Critical elevation of privilege vulnerability affecting Microsoft Dynamics 365 Customer Insights and has a CVSS score of 7.7. An improper privilege management flaw (CWE-269) could allow an authorized remote attacker to elevate their privileges over a network. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 7.7 | CVE-2026-33821 | Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability | No |
CVE-2026-26129 and CVE-2026-26164 are Critical information disclosure vulnerabilities affecting Microsoft 365 Copilot's Business Chat, both with a CVSS score of 7.5. These vulnerabilities allow unauthorized remote attackers to disclose sensitive information over a network through improper neutralization of special elements (CVE-2026-26129) and improper neutralization of special elements in output used by a downstream component (CVE-2026-26164) in M365 Copilot. Microsoft has proactively remediated these vulnerabilities within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 7.5 | CVE-2026-26129 | M365 Copilot Information Disclosure Vulnerability | No |
| Critical | 7.5 | CVE-2026-26164 | M365 Copilot Information Disclosure Vulnerability | No |
CVE-2026-33111 is a Critical information disclosure vulnerability affecting Copilot Chat in Microsoft Edge and has a CVSS score of 7.5. A command injection flaw (CWE-77) in Copilot Chat could allow an unauthorized remote attacker to disclose sensitive information over a network through improper neutralization of special elements used in a command. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.
| Severity | CVSS Score | CVE | Description | Action Required? |
| Critical | 7.5 | CVE-2026-33111 | Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability | No |
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。