Microsoft has released its May 2026 Patch Tuesday security updates, addressing 120 vulnerabilities across Windows, Microsoft Office, SharePoint Server, Azure-related services, Hyper-V, and enterprise networking components. Unlike previous months, this update cycle did not include any actively exploited or publicly disclosed zero-day vulnerabilities.

Even without zero-days, the release remains significant for enterprise defenders due to the large number of critical remote code execution (RCE) vulnerabilities and privilege escalation flaws patched this month. Security teams are being urged to prioritize updates affecting Microsoft Office, SharePoint, Windows DNS Client, and Hyper-V environments.

Patch Tuesday Overview

Counts exclude Microsoft Edge, Mariner, Azure, Copilot, Teams, and Partner Center vulnerabilities patched separately earlier this month.

Most Notable Vulnerabilities

CVE-2026-40365 — Microsoft SharePoint Server Remote Code Execution

Microsoft patched a high-risk remote code execution vulnerability impacting SharePoint Server. The flaw allows authenticated attackers to execute arbitrary code remotely over a network against vulnerable SharePoint deployments. Organizations using internet-facing or internally exposed SharePoint environments should prioritize this update immediately.

CVE-2026-41096 — Windows DNS Client Remote Code Execution

A vulnerability in the Windows DNS Client service could allow attackers controlling a malicious DNS server to trigger memory corruption and achieve remote code execution. The issue is particularly concerning because exploitation may occur simply through interaction with crafted DNS responses.

CVE-2026-35421 — Windows GDI Remote Code Execution

Microsoft also fixed a Windows GDI vulnerability exploitable through specially crafted Enhanced Metafile (EMF) images. Opening a malicious image in applications such as Microsoft Paint could potentially lead to arbitrary code execution on affected systems.

Microsoft Office Remains a High-Risk Target

Several of the patched vulnerabilities impact Microsoft Office, Word, and Excel. According to security researchers, many of these flaws can be exploited through malicious document attachments, with some capable of triggering through the preview pane alone. This reinforces the continued effectiveness of phishing-based delivery techniques in enterprise attacks.

Organizations handling external email attachments or relying heavily on Office-based workflows should treat these updates as high priority.

No Zero-Days Does Not Mean Low Risk

This Patch Tuesday marks one of the first Microsoft update cycles in recent years without publicly disclosed or actively exploited zero-day vulnerabilities. However, cybersecurity experts warn that the large number of critical RCE vulnerabilities still creates substantial enterprise risk if systems remain unpatched.

Historically, attackers frequently reverse-engineer Patch Tuesday fixes to develop exploits shortly after updates are released — a phenomenon commonly referred to as “Exploit Wednesday.”

Additional Vendor Security Updates

Alongside Microsoft’s releases, several other major vendors published security updates this week, including:

• Adobe updates for After Effects, Premiere Pro, Illustrator, and Commerce

• Apple security updates across macOS, iOS, iPadOS, and watchOS

• Cisco patches for multiple networking products

• Fortinet fixes for FortiSandbox and FortiAuthenticator

• Mozilla Firefox vulnerability patches

• Google Android and Chrome security updates

What Security Teams Should Do Now

Security teams should prioritize patch deployment for:

1. SharePoint Server environments

2. Microsoft Office installations

3. Windows DNS Client systems

4. Hyper-V infrastructure

5. Internet-facing Windows servers

Organizations should also continue monitoring for post-patch exploit development and phishing campaigns leveraging malicious Office documents.

Timely patch deployment remains one of the most effective defenses against ransomware operators and advanced intrusion campaigns targeting enterprise environments.

Disclaimer: ClearPhish maintains a strict policy of not participating in the theft, distribution, or handling of stolen data or files. The platform does not engage in exfiltration, downloading, hosting, or reposting any illegally obtained information. Any responsibility or legal inquiries regarding the data should be directed solely at the responsible cybercriminals or attackers, as ClearPhish is not involved in these activities. We encourage parties affected by any breach to seek resolution through legal channels directly with the attackers responsible for such incidents.