News
No Zero-Days, but Plenty to Patch in Microsoft May Update
Microsoft's May Patch Tuesday release broke a long zero-day streak, arriving without any vulnerabilities listed as exploited or publicly disclosed.
For IT teams, the work is still substantial. Microsoft fixed 138 CVEs in May, including 30 rated "critical," across Microsoft products and services.
"The May 2026 Patch Tuesday Release breaks a long-standing streak as the first release in nearly two years not to include a zero-day," said Satnam Narang, senior staff research engineer at Tenable. "Every release since July 2024 has included at least one zero-day either exploited or publicly disclosed, averaging 3.5 per month across a 22-month streak."
Azure DevOps Gets the Highest Score
CVE-2026-42826 is the highest-rated flaw this month, an Azure DevOps information disclosure bug with a CVSS score of 10.0.
Microsoft did not provide many details, but a 10.0 score is hard to ignore, and should be a strong sign to patch as soon as possible, especially if enterprise data is currently being stored or handled in Azure DevOps.
Dynamics 365 On-Premises RCE
CVE-2026-42898, rated 9.9, stems from poor code generation control. If gone unpatched, an attacker with low privileges could execute code over the network by manipulating process session data inside Dynamics CRM.
"With no user interaction required, and the potential to impact systems beyond the vulnerable component's original security scope, this vulnerability poses serious enterprise risk: an attacker with only basic access could turn a business application server into a remote execution platform," said Jack Bicer, director of vulnerability research at Action1.
Bicer said a Dynamics 365 compromise could expose customer records, workflows, financial information and connected business systems. That is the bigger concern for org environments, where CRMs often sit close to identity services, databases and other applications.
Netlogon Bug Puts Domain Controllers in Focus
CVE-2026-41089 is a 9.8-rated Netlogon flaw that could let an unauthenticated attacker run code on a domain controller by sending a malicious network request. No credentials or user interaction are required.
"Domain controllers are core identity infrastructure," said Mike Walters, president and co-founder of Action1. "A successful exploit could compromise authentication, expose credentials, enable broad lateral movement, and disrupt access to business-critical systems. This could lead to ransomware deployment, data theft, and widespread operational outage."
DNS Client RCE Widens the Exposure
Another high-priority Windows bug is in the DNS Client, which runs broadly across enterprise Windows environments.
CVE-2026-41096, also rated 9.8, can be triggered by a malicious DNS response. An attacker able to influence DNS responses could use the heap-based buffer overflow to achieve unauthenticated remote code execution.
"Because DNS is a core networking service used across enterprise environments, exploitation could impact a large number of systems rapidly," Bicer said. "Successful attacks may lead to widespread endpoint compromise, ransomware deployment, credential harvesting, and operational disruption across corporate networks."
Azure Cloud Shell Spoofing
Microsoft also fixed
CVE-2026-35428, a 9.6-rated spoofing issue in Azure Cloud Shell.
Not many specifics were released on this, but the rating puts it on the shortlist for cloud administrators, particularly in environments where Cloud Shell is used for administrative work.
Word Preview Pane Bugs Return
Four remote code execution bugs -- CVE-2026-40361, CVE-2026-40364, CVE-2026-40366 and CVE-2026-40367 -- can be triggered through the Preview Pane by merely previewing the malicious document.
"A couple of vulnerabilities stand out in this release," Narang said. "Microsoft patched four critical remote code execution bugs in Microsoft Word, all with the same CVSS scores (8.4), but only two (CVE-2026-40361, CVE-2026-40364) are considered more likely to be exploited."
"Therefore, patching is the most reliable way to protect against flaws like these," Narang said.
Azure, Hyper-V and Office Also Get Fixes
The rest of the critical list spans cloud services, virtualization, productivity apps and Windows networking.
Azure received fixes for two Managed Instance for Apache Cassandra remote code execution vulnerabilities, along with bugs in Azure AI Foundry, Azure Machine Learning and Azure Monitor.
Virtualization teams also have items to review. Windows Hyper-V received a 9.3-rated elevation of privilege fix that could allow a guest-to-host escape, while the Windows Graphics Component has a related guest-to-host risk rated 8.8.
SharePoint Server received a remote code execution fix requiring authenticated access. Two additional Office RCE bugs share the Preview Pane exposure. Copilot Chat in Edge and Microsoft 365 Copilot also received information disclosure fixes rated 7.5.
Microsoft also patched remote code execution issues in the Windows TCP/IP stack, WiFi drivers and graphics subsystems. Some require specific conditions, including network adjacency or sustained low-memory states. Office for Android received a 7.8-rated RCE fix.