Microsoft May Patch Tuesday: 120 Fixes, No Zero-Days

A Closer Look at the May 2026 Patch Tuesday Landscape

Microsoft’s May security release is a hefty one. The company patched approximately 120 vulnerabilities across its ecosystem this Patch Tuesday. Notably, none of these flaws were publicly known or actively exploited at the time of release, giving administrators a rare head start. While the absence of zero-days is welcome, the volume of fixes still demands a strategic response.

microsoft may patch tuesday

This month’s update is notably broad. The roughly 120 security flaws addressed span from on-premises software like SharePoint Server to cloud-native services like Azure Logic Apps. While the lack of zero-days is a positive sign, it doesn’t diminish the urgency. Several of the vulnerabilities patched could allow an attacker to execute arbitrary code remotely, effectively handing over the keys to a system without any user interaction. For IT professionals, this release serves as a reminder that patch management is a continuous cycle. The volume alone can be overwhelming, but a strategic approach to prioritizing fixes is essential for maintaining a strong security posture.

Critical Vulnerabilities Demand Immediate Attention

Among the roughly 120 fixes, a handful stand out due to their severity and the widespread nature of the affected software. These Critical-rated vulnerabilities should be at the very top of every administrator’s deployment list.

Microsoft Office and SharePoint Remote Code Execution

The Office suite received multiple Critical patches. CVE-2026-40361, CVE-2026-40367, and CVE-2026-40364 are all Remote Code Execution (RCE) vulnerabilities in Microsoft Word. An attacker could exploit these by convincing a user to open a specially crafted file, potentially through a phishing email. Similarly, SharePoint Server received a Critical RCE patch under CVE-2026-40365, alongside several Important RCE fixes. Given how central SharePoint is to document management and collaboration in many organizations, this is a high-priority area.

Dynamics 365 On-Premises RCE

Businesses running Dynamics 365 on their own servers need to act fast. CVE-2026-42898 is a Critical RCE vulnerability that could allow an unauthenticated attacker to execute arbitrary code remotely. The on-premises nature of this software means it often falls outside standard cloud update cycles, making manual intervention crucial for protection.

M365 Copilot Information Disclosure

As AI tools like Microsoft 365 Copilot become deeply integrated into workflows, their security is paramount. CVE-2026-26164 is a Critical information disclosure vulnerability in M365 Copilot. While the specifics are kept vague to allow for patching, the potential for sensitive data leakage through an AI assistant is a serious concern for enterprises adopting these tools.

SSO Plugin for Jira and Confluence

Many development teams rely on Atlassian’s Jira and Confluence, often secured via Microsoft’s SSO plugin. CVE-2026-41103 is a Critical elevation of privilege vulnerability in this plugin. If exploited, it could allow an attacker to gain higher-level access within these project management tools, potentially exposing source code or strategic business plans.

Important Patches Across the Microsoft Ecosystem

Beyond the Critical flaws, a vast number of Important patches address a wide range of attack vectors. These may not allow for immediate system takeover, but they are frequently the stepping stones attackers use to gain a foothold inside a network.

.NET and ASP.NET Core

Developers should pay close attention to the.NET updates. CVE-2026-35433 and CVE-2026-32177 are elevation of privilege vulnerabilities, while CVE-2026-32175 is a tampering vulnerability in.NET Core. On the web framework side, CVE-2026-42899 is a denial of service vulnerability in ASP.NET Core. A carefully crafted request could crash a web application, making this a stability risk for cloud-hosted services.

Azure Services: Logic Apps, Monitor Agent, and Machine Learning

Microsoft’s cloud platform received several patches. CVE-2026-42823 is an elevation of privilege flaw in Azure Logic Apps. CVE-2026-32204 and CVE-2026-42830 affect the Azure Monitor Agent, which is used to collect telemetry data from virtual machines. CVE-2026-33833 is a spoofing vulnerability in Azure Machine Learning Notebooks. These patches highlight the complexity of securing a modern cloud environment where deeply integrated services can become unexpected attack vectors.

AMD CPU OP Cache Corruption

In a rare move, Microsoft patched an AMD CPU vulnerability (CVE-2025-54518) related to OP Cache corruption. This flaw, rated Important, is a hardware-level issue that could allow for information disclosure or privilege escalation. Microsoft’s involvement indicates it is addressed via a microcode update or a Windows kernel workaround. This is a great example of the deepening collaboration between OS vendors and hardware manufacturers to fix silicon-level bugs after production.

Microsoft Teams and Copilot Spoofing

Collaboration tools remain a favorite target for social engineers. CVE-2026-32185 is an Important spoofing vulnerability in Microsoft Teams. CVE-2026-41100 and CVE-2026-41614 are spoofing vulnerabilities in Microsoft 365 Copilot for Android and Desktop, respectively. These could allow an attacker to impersonate a trusted user or service, tricking victims into sharing credentials or sensitive data.

GitHub Copilot and VS Code Security Bypass

For developers, CVE-2026-41109 is a security feature bypass vulnerability in GitHub Copilot and Visual Studio Code. While details are sparse, a bypass in these tools could undermine code integrity or expose development environments to risk, making this a must-patch for software teams.

The Broader Reach of This Month’s Fixes

The updates also touch nearly every corner of the Microsoft ecosystem. Excel received patches for information disclosure (CVE-2026-40360) and remote code execution (CVE-2026-40362, CVE-2026-40359). PowerPoint for Android was fixed for a spoofing flaw (CVE-2026-41102). Even the Data Deduplication service received an elevation of privilege fix (CVE-2026-41095). The Azure SDK for Java had a security feature bypass vulnerability (CVE-2026-33117) that could affect custom cloud applications. Microsoft Dynamics 365 Business Central also received an elevation of privilege patch (CVE-2026-40417), which is critical for ERP environments.

The sheer diversity of these fixes illustrates a key point: security is not just about the operating system. Attackers will probe any connected service or application. The Azure Connected Machine Agent (CVE-2026-40381) and the Microsoft Data Formulator (CVE-2026-41094) are examples of niche but critical components that, if left unpatched, could provide a beachhead for an attacker.

You may also enjoy reading: Your Guide to Lubbock Hotels Near Texas Tech: Wingate by Wyndham.

What Makes This Patch Tuesday Unique?

The absence of zero-days in this massive update is statistically notable. In recent months, Microsoft has frequently had to address actively exploited flaws. This clean slate gives IT teams a chance to get ahead of the curve. It also suggests that Microsoft’s internal security review processes, including its bug bounty programs and secure-by-design initiatives, are yielding tangible results.

Furthermore, the inclusion of the AMD CPU vulnerability (CVE-2025-54518) in a Windows Patch Tuesday release shows how firmware and hardware security are becoming a standard part of the monthly update cycle. This is a trend that began with the Meltdown and Spectre era and is now a routine part of system maintenance. The collaboration required to patch silicon-level bugs is immense, and seeing it executed smoothly is a positive sign for the industry.

Actionable Steps for Securing Your Environment

Dealing with a patch load of this size requires a clear plan. Here are the steps IT administrators should take immediately to protect their organizations.

Prioritize Based on Risk

Start with the Critical RCE vulnerabilities in Office, SharePoint, and Dynamics 365. These represent the highest risk to most organizations because they often require little user interaction to exploit. Next, move on to the Important patches affecting internet-facing services like ASP.NET Core and Azure components. Finally, schedule the remaining fixes for your next maintenance window.

Review and Update Cloud Configurations

Many Azure and M365 patches require more than just clicking “Update”. They may involve updating agents (like the Azure Monitor Agent), restarting services, or applying configuration changes. Review the specific documentation for CVE-2026-32204 and CVE-2026-42823 to ensure the fix is fully applied across your cloud tenants.

Test Before Full Deployment

If you manage a large fleet of devices, test the Office and.NET updates on a pilot group first. While Microsoft patches are generally reliable, conflicts with legacy software or internal tools can occur. A staged rollout prevents widespread disruption if an unexpected compatibility issue arises.

Enable Automatic Updates for Consumers

For home users, the easiest way to stay protected is to enable automatic updates for Windows and Microsoft 365. The operating system and Office apps will download and install these patches in the background, ensuring you are protected against known threats without manual effort. Simply restarting your computer once a week is often enough to apply these critical fixes.