Microsoft Patch Tuesday – May 2026

Today is Microsoft Patch Tuesday for May 2026. There are 137 vulnerabilities that have been addressed this time around. There are no confirmed zero-days this month, no vulnerabilities are flagged as exploited or publicly disclosed. The release however does include 30 Critical issues, with several unauthenticated remote code execution flaws in core Windows networking components and on-premises server products that warrant prioritized patching.

Notable Patch Tuesday vulnerabilities for May

• CVE-2026-41089 A stack-based buffer overflow in Windows Netlogon allows unauthenticated remote code execution. As Netlogon runs on every domain controller, this should be the top priority for environments running on-premises Active Directory.
• CVE-2026-41096 A heap-based buffer overflow in the Windows DNS client allows unauthenticated remote code execution. Any Windows system performing DNS resolution is exposed, with the highest risk on resolvers handling responses from untrusted networks.
• CVE-2026-40402 A use-after-free in Windows Hyper-V lets an attacker inside a guest VM escape to the host, with the scope change impacting the hypervisor and other tenants. Particularly relevant for multi-tenant or lab environments running untrusted workloads.
• CVE-2026-42898 A code injection flaw in Microsoft Dynamics 365 (on-premises) allows a low-privileged authenticated user to execute code over the network. Any compromised user account could be enough to gain a foothold on the application tier.
• CVE-2026-40365 An access-control flaw in Microsoft SharePoint Server allows an authenticated user to execute code on the server. On-premises farms should apply the May updates without delay, given SharePoint’s history as a target for post-authentication exploit chains.
• CVE-2026-40361 A use-after-free in Microsoft Word triggers code execution when a crafted document is opened or previewed. Rated Critical and assessed as “Exploitation More Likely”, treat as a near-term workstation risk.
• CVE-2026-40364 A type confusion in Microsoft Word with the same trigger and the same “Exploitation More Likely” assessment. Two likely-exploitable Word RCEs in one release means Word should be a priority this cycle.
• CVE-2026-40397 An elevation of privilege issue in the Windows Common Log File System (CLFS) driver, assessed as “Exploitation More Likely”. CLFS has been a recurring in-the-wild SYSTEM-level escalation primitive, so don’t wait for a confirmed exploit.
• CVE-2026-32161 A race condition in the Windows Native WiFi Miniport Driver lets an attacker on an adjacent network execute code on a target. Complexity is high, but mobile workstations using Wi-Fi in shared environments remain in reach.

For more detailed information on these and other vulnerabilities, please refer to the release notes: https://msrc.microsoft.com/update-guide/releaseNote/2026-May

Need help addressing the above in your own organization? Speak to an Outpost24 expert.

About the Author

Marcus White Cybersecurity Specialist, Outpost24

Marcus is an Outpost24 cybersecurity specialist based in the UK, with 8+ years experience in the tech and cyber sectors. He writes about attack surface management, application security, threat intelligence, and compliance.