120 Vulnerabilities Fixed as Microsoft Targets Critical Remote Code Execution Risks. Here’s What Matters in Microsoft’s May 2026 Patches.
Microsoft’s May 2026 Patch Tuesday includes fixes for 120 vulnerabilities, with no publicly disclosed zero-days this month. Of the flaws addressed, 17 are rated Critical, including 14 remote code execution (RCE) vulnerabilities.
Key vulnerability categories included:
- 61 Elevation of Privilege flaws
- 31 Remote Code Execution flaws
- 14 Information Disclosure flaws
- 13 Spoofing vulnerabilities
- 8 Denial of Service flaws
- 6 Security Feature Bypass issues
Some of the most notable vulnerabilities include:
- Multiple Microsoft Office, Word and Excel RCE flaws that can be triggered by opening malicious files, including via the preview pane. Organisations handling frequent email attachments are strongly advised to patch quickly.
- CVE-2026-35421: A Windows GDI RCE flaw exploitable through malicious EMF files opened in Microsoft Paint.
- CVE-2026-40365: A SharePoint Server RCE vulnerability allowing authenticated attackers to remotely execute code.
- CVE-2026-41096: A Windows DNS Client RCE vulnerability where malicious DNS responses could lead to memory corruption and remote code execution.
Microsoft also clarified that this count excludes fixes previously released for products such as Azure, Teams, Copilot, and Microsoft Edge/Chromium.
Alongside Microsoft’s updates, several major vendors released important security advisories this month, including:
- Adobe
- Apple
- Cisco
- Fortinet
- Google Android
- Ivanti (following active zero-day exploitation)
- Mozilla
- Palo Alto Networks
- SAP
- vm2 Node.js sandboxing library
The May updates continue to highlight a strong focus on remote code execution vulnerabilities, particularly those involving malicious files, identity infrastructure, and network services.
If you would like to view the full report for May 2026, click here.