Microsoft Patch Tuesday May 2026 Fixes 137 Flaws, Including Netlogon RCE and Critical SSO Bypass
Ddos 
Microsoft has dropped a heavy-hitting security update for May 2026, addressing a total of 137 vulnerabilities. This month’s release is particularly dense, featuring 30 Critical and 103 Important-severity flaws across the tech giant’s ecosystem.
While no publicly disclosed zero-days were addressed this cycle, the sheer volume of Remote Code Execution (RCE) and Elevation of Privilege (EoP) patches makes this a mandatory update for IT teams.
The May update covers an expansive range of products, including Windows Hyper-V, .NET, M365 Copilot, and the Windows Kernel. Additionally, Microsoft noted that 128 vulnerabilities in the Chromium-based Edge browser were addressed earlier this month.
| Category | Quantity | Critical Count |
| Elevation of Privilege | 61 | 5 |
| Remote Code Execution | 31 | 16 |
| Spoofing | 15 | 4 |
| Information Disclosure | 15 | 5 |
| Denial of Service | 8 | 8 |
| Security Feature Bypass | 6 | 0 |
Security teams should prioritize the following high-impact patches to prevent unauthenticated network attacks:
- Netlogon Network Attack (CVE-2026-41089): A stack-based buffer overflow in Windows Netlogon could allow an unauthenticated attacker to execute code over the network. An attacker can trigger this by sending a specially crafted request to a server acting as a Domain Controller.
- Office & Word Vulnerabilities: Microsoft Word and Office were hit with several RCE flaws (including CVE-2026-40364 and CVE-2026-40361) stemming from type confusion and use-after-free vulnerabilities. These allow attackers to execute code remotely if a user opens a malicious file.
- Windows GDI (CVE-2026-35421): A heap-based buffer overflow in the Windows Graphics Device Interface (GDI) provides another avenue for unauthenticated remote code execution.
One of the more unique critical flaws this month is CVE-2026-41103, affecting the Microsoft SSO Plugin for Jira & Confluence.
Due to an incorrect authentication algorithm, an unauthenticated attacker can send a crafted SSO response to trick the system into accepting a forged identity. This allows the attacker to sign in without ever authenticating through Microsoft Entra ID, potentially granting full access to sensitive project management data.
Microsoft’s push into AI and Cloud hasn’t been without its hurdles. Several “Critical” rated vulnerabilities were found in these modern services:
- M365 Copilot (CVE-2026-26129 & CVE-2026-26164): These Information Disclosure flaws could allow attackers to siphon data over the network by exploiting improper neutralization of special elements.
- Azure AI Foundry (CVE-2026-35435): An access-control flaw in M365 published agents allows unauthenticated attackers to elevate their privileges across the network.
- Hyper-V (CVE-2026-40402): A use-after-free vulnerability in Hyper-V could allow an attacker to jump from a guest or local environment to gain full SYSTEM privileges.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
