This Patch Tuesday includes fixes for 17 "critical" bugs; 14 are RCEs, 2 are EOPs and 1 is an info-disclosure bug.
Here are the categories of bugs included with this month's Patch Tuesday:
- Security feature bypass flaws: 6
- Denial of service flaws: 8
- Elevation of privilege flaws: 61
- Spoofing flaws: 13
- Information disclosure flaws: 14
- Remote code execution flaws: 31
This Patch Tuesday report only contains security patches released by Microsoft today. Therefore, this patch report will exclude all of the previously patched bugs within Mariner, Azure, Copilot, Microsoft Teams and Microsoft Partner Center that were patched last week. It will also exclude all of the Microsoft Edge / Chromium patches that were fixed by Google this month (there were over 130).
If you wish to read about the non-security related fixes made to the above mentioned OSes, we have separate articles detailing the Windows 11 KB5089549 & KB5087420 cumulative updates and the Windows 10 KB5087544 extended security update.
Notable bugs
There were no known zero-day bugs addressed in this month's Patch Tuesday from Microsoft. Some other notable bugs fixed in today's updates include several bugs in Microsoft Office, Word and Excel that can cause RCE.
The majority of the bugs being referenced can be triggered when someone opens a malicious file and/or the preview pane. Many organisations use Microsoft Office daily and therefore it is highly recommended that you upgrade your version of Microsoft Office at your earliest convenience, especially if your organisation receives a lot of email attachments.
Some examples of other notable bugs include:
- CVE-2026-35421 – the Windows GDI remote code execution vulnerability: if a user opens a malicious Enhanced Metafile (.EMF), a hacker may be able to execute code through the user's copy of Microsoft Paint.
- CVE-2026-40365 – the Microsoft SharePoint Server remote code execution vulnerability: an authenticated hacker can use a network-based attack to execute arbitrary code on a SharePoint server.
- CVE-2026-41096 – the Windows DNS Client remote code execution vulnerability: a DNS server controlled by an attacker sends a specially crafted DNS response to a Windows system running a vulnerable DNS client. Due to this issue being improperly processed by the DNS Client, it causes corruption to the memory space used by the system. This allows the attacker to run their own code on the target Windows system remotely.
Updates from other companies
In addition to Microsoft releasing its Patch Tuesday updates this past week, Adobe also released several security patches in May 2026. These security patches were released for After Effects, Premiere Pro, Media Encoder, Commerce, Illustrator and several other applications. Also, AMD announced its release of several updates for a recently identified elevation of privilege vulnerability in the CPU operation (op/µop) cache found on Zen 2-based CPUs. Additionally, Apple released security updates for several operating systems, including macOS, iOS, watchOS, iPadOS, visionOS and tvOS. Cisco Systems announced that it had released multiple security updates for several products, including a denial-of-service vulnerability requiring manual reboot of the system after remediation. In addition to these releases, Fortinet announced its releases of security updates for two critical flaws found in both FortiSandbox and FortiAuthenticator. Google announced its monthly Android security bulletin, which included fixes for ten vulnerabilities. Ivanti announced that it had released a security update addressing a high-severity RCE vulnerability in Ivanti Endpoint Manager Mobile (EPMM). Mozilla announced security updates for five Firefox vulnerabilities. Palo Alto Networks issued a warning regarding a critical PAN-OS User-ID Authentication Portal flaw that has been exploited as a zero-day. Although there are currently no patches available for this flaw, users can mitigate against exploitation. SAP announced the availability of May 2026 security updates containing one high-severity and two critical fixes. Finally, vm2 announced its release of security updates addressing a critical vulnerability in the very popular Node.js sandbox library.
