Security News Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,815
6
82,971
8,389
55
The Netherlands
Content source
https://www.bleepingcomputer.com/news/microsoft/microsoft-may-2026-patch-tuesday-fixes-120-flaws-no-zero-days/
Today is Microsoft's May 2026 Patch Tuesday, with security updates for 120 flaws and no zero-days disclosed.

This Patch Tuesday addresses 17 "Critical" vulnerabilities, 14 of which are remote code execution, 2 are elevation of privilege, and 1 is an information disclosure flaw.

The number of bugs in each vulnerability category is listed below:
  • 61 Elevation of Privilege Vulnerabilities
  • 6 Security Feature Bypass Vulnerabilities
  • 31 Remote Code Execution Vulnerabilities
  • 14 Information Disclosure Vulnerabilities
  • 8 Denial of Service Vulnerabilities
  • 13 Spoofing Vulnerabilities
When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today.

Therefore, the number of flaws does not include flaws in Mariner, Azure, Copilot, Microsoft Teams, and Microsoft Partner Center that were fixed by Microsoft earlier this month. There were also 131 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded.
Click to expand...
www.bleepingcomputer.com

Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

Today is Microsoft's May 2026 Patch Tuesday, with security updates for 120 flaws and no zero-days disclosed this month.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • Thanks
  • Hundred Points
Reactions: Brownie2019, silversurfer, Dave Russo and 12 others
Gandalf_The_Grey said:
www.bleepingcomputer.com

Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days

Today is Microsoft's May 2026 Patch Tuesday, with security updates for 120 flaws and no zero-days disclosed this month.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
That lines up with the usual Patch Tuesday pattern: a large volume of fixes, but the more important part is the exposure level of the affected components rather than the headline number alone.

What stands out

  • No publicly disclosed zero-days is the most reassuring part of this release.
  • 17 Critical vulnerabilities is still significant, especially with 14 of them being remote code execution issues.
  • 61 elevation of privilege flaws is also notable because those are commonly useful for post-compromise activity, even if they are not the initial entry point.

Practical takeaway

For most home users and businesses, the sensible response is straightforward:

  • Install the May 2026 cumulative updates as soon as practical.
  • Prioritize internet-facing and business-critical systems first.
  • Reboot promptly, because some fixes do not fully apply until restart.
  • If update-related stability is a concern, create a restore point or ensure recent backups exist before patching.

Why the raw count can be misleading

A month with “120 flaws” does not automatically mean it is worse than a month with fewer CVEs.

What matters more is:

  • Whether any flaws are being actively exploited
  • Whether the vulnerabilities allow remote code execution without user interaction
  • Which Windows components or enterprise services are affected
  • How broadly exposed those components are in real environments

So in this case, “no zero-days” reduces urgency somewhat, but “multiple Critical RCEs” still makes this a high-priority patch cycle.

For admins and advanced users

A reasonable rollout approach is:

  • Patch test machines first if you manage multiple endpoints
  • Review Microsoft’s official release notes and CVE details for affected roles such as Hyper-V, Office, Exchange-related components, or remote services if applicable
  • Check for known issues before wide deployment
  • Verify endpoint protection, EDR, and backup health before and after rollout

Bottom line

No zero-days is good news, but this is still not a “skip this month” release. The safest approach is to patch normally and without unnecessary delay.

Sources
 
ZDI: The May 2026 Security Update Review
I’m currently in Berlin helping set up for Pwn2Own Berlin, but that doesn’t stop Patch Tuesday from coming, and it’s another big one. At least nothing is listed as being in the wild – for now. Take a break from your regularly scheduled activities and let’s take a look at the latest security patches from Adobe and Microsoft. Due to technical difficulties, there will not be a video companion for this month.
Click to expand...
Adobe Patches for May 2026

For May, Adobe released 10 bulletins addressing 52 unique CVEs in Adobe Commerce, After Effects, Adobe Connect, Illustrator, Media Encoder, Premiere Pro, Substance 3D Painter, Substance 3D Sampler, Content Authenticity SDK, and the Adobe Substance 3D Designer.

The obvious priority this month is the patch for Commerce, with its 15 bugs and deployment priority of 2. The Connect fix should also rank up there since both of its CVEs are CVSS 9s. Beyond those, it’s a pretty typical month for Adobe, with most of the bugs either being cross-site scripting (XSS) or open-and-own code executions.
Click to expand...
Microsoft Patches for May 2026

This month, Microsoft released a whopping 138 new CVEs in Windows and Windows components, Office and Office Components, Microsoft Edge (Chromium-based), Azure, .NET and Visual Studio, Copilot Chat, Github Copilot, M365 Copilot, SQL Server, TCP/IP, and the Telnet Client – yes, the Telnet client. Two of these bugs were reported through the TrendAI ZDI program. 30 of these bugs are rated Critical, three are rated as Moderate, one is rated Low, and the rest are rated Important in severity.

This large volume of fixes follows the largest monthly release in Microsoft’s history and reflects the trend across the industry of a high number of submissions. While not all of these bugs were found by AI, it’s likely they had an AI-related component – even if it was just AI writing the submission. I should also point out the Pwn2Own Berlin occurs in just a few days, and it’s typical for vendors to patch as much as they can before the event.

None of the bugs patched by Microsoft this month are listed as publicly known or under active attack at the time of release, so we’ve got that going for us.
Click to expand...
Looking Ahead

Assuming I survive Pwn2Own Berlin (which is looking iffy at the moment), I’ll return on June 9th on what will hopefully be a smaller release than this one. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!
Click to expand...
www.zerodayinitiative.com

Zero Day Initiative — The May 2026 Security Update Review

I’m currently in Berlin helping set up for Pwn2Own Berlin, but that doesn’t stop Patch Tuesday from coming, and it’s another big one. At least nothing is listed as being in the wild – for now. Take a break from your regularly scheduled activities and let’s take a look at the latest security patches
www.zerodayinitiative.com www.zerodayinitiative.com
 
  • Like
  • Thanks
  • +Reputation
Reactions: Brownie2019, Trident, Berny and 7 others
I expected more patches since MS has access to Mythos, don't tell me they are in self-denial and following the 'not invented here' path. (eg 'if our co-pilot did not find any security bugs, then there are no security bugs' )

Mozilla found 271 in the small program firefox using Mythos, can't wait for the fix to come out.

Windows is many times firefox's size, and should have plenty.
 
Last edited:
  • Like
  • Hundred Points
Reactions: lokamoka820, Brownie2019, Dave Russo and 2 others
n8chavez said:
You understand there's no linear correlation to project size and bugs, right?
Click to expand...
There isn't ? But I have heard of the phrase 'bugs per 1000 lines of code'. Is that a dated understanding?

EDIT: chatgpt gave me a detailed answer. Small, complex, poorly tested code would be more dangerous than a large UI code which is properly tested.
bugs per 1000 lines of code is a coarse metric, which is still used.
 
Last edited:
  • Like
Reactions: lokamoka820, Brownie2019, Dave Russo and 3 others
I think they are probably waiting until ChatGPT model is more mature or general availability since they have a financial incentive to use it due to Copilot using it.

The bugs/vulnerabilities are coming though, just a matter of when. And I'm pretty sure MS don't want to release a patch Tuesday with 1000 bugs/fixes, bad marketing.
 
  • Like
  • Wow
Reactions: lokamoka820, Brownie2019, Dave Russo and 2 others
Zero Knowledge said:
bad marketing
Click to expand...
Lets hope MS truly cares about security, more than their image. Their image is not that good anyways. I think an upfront response and offering timely patches will improve their image if anything. If more companies do like Mozilla and are honest about their security bugs, and MS stays silent guess who will look worse?

I will suggest something so they can save face; release a "Windows 12" and put all the bug fixes in there.

If they are saying that 120 fixes is all they can do per month, then there is a resource allocation & focus problem.

They should be saying "Good riddance, now I can fix all the hidden legacy security bugs since NT. and focus on delivering innovation."
 
Last edited:
  • Like
Reactions: lokamoka820 and Dave Russo
MS doesn't care what you think of it because your going to use it anyway. You can whinge and moan about transparency and security but it doesn't mean much.

MS isn't going to sink billions into a redesign of Windows, they will do what they always do and patch every month and release a point release every year with minimal upgrades.
 
  • Like
  • Hundred Points
Reactions: lokamoka820, Brownie2019, Dave Russo and 3 others
No Zero-Days and High Criticals: The May 2026 Windows Patch Tuesday Breakdown
Executive Summary
  • Release Date: May 12, 2026
  • Total Vulnerabilities: 120
  • Critical Vulnerabilities: 17
  • Zero-Days: 0
Key Action Item: Administrators must prioritize patching network-exposed infrastructure, specifically domain controllers affected by the Netlogon vulnerability (CVE-2026-41089) and systems running the Windows DNS Client. Simultaneously, Microsoft Office installations need immediate updates to mitigate several highly critical Remote Code Execution vulnerabilities that can be triggered simply via the Windows Preview Pane.

Important Patches
  • CVE-2026-41089 — Windows Netlogon Remote Code Execution Vulnerability
  • CVE-2026-41096 — Windows DNS Client Remote Code Execution Vulnerability
  • CVE-2026-42826 — Azure DevOps Information Disclosure Vulnerability
  • CVE-2026-40364 — Microsoft Office Word Remote Code Execution Vulnerability
  • CVE-2026-40402 — Windows Hyper-V Elevation of Privilege Vulnerability
  • CVE-2026-32185 — Microsoft Teams Spoofing Vulnerability
Click to expand...
chipp.in

No Zero-Days and High Criticals: The May 2026 Windows Patch Tuesday Breakdown - Chipp.in Tech News and Reviews

If April 2026 was an avalanche of patches, May brings a welcome breather from zero-days but keeps the critical severity count high. Microsoft’s fifth Patch...
chipp.in chipp.in
 
  • Like
  • +Reputation
Reactions: Zero Knowledge, lokamoka820, oldschool and 4 others
Nah, MS doesn't have to do anything special. No need to respond to any external events. Just wait until Mythos is publicly released. Then be sitting duck for hackers. Users will never complain. They're so stupid that they won't know what hit them. Reboot a few times - still don't work, blame the machine and buy a new one. Don't you know that the feedback app is just for show?

Hackers? Meh. We won't lift a finger until the CISA or FTC screams at us.
 
Last edited:
  • Like
  • Hundred Points
Reactions: Parkinsond and lokamoka820

You may also like...