Microsoft has marked May 2026 Patch Tuesday by releasing fixes for more than 120 CVE-numbered vulnerabilities. For a change, none of these flaws are actively exploited in the wild or have been publicly disclosed prior to the patch release. While the absence of zero-days offers a brief respite for security teams, the sheer volume of updates and the severity of several vulnerabilities mean that immediate patching remains critical.
A Busy Patch Cycle Without Zero-Days
Patch Tuesday is Microsoft's monthly cycle of security updates, typically released on the second Tuesday of each month. The May 2026 release is noteworthy not only for its size—over 120 vulnerabilities—but also for the fact that it contains no zero-days. Zero-days are vulnerabilities that are already known to attackers or publicly disclosed before a patch is available, and they often require emergency fixes. In recent months, Microsoft has had to address several zero-days, making this month's clean slate a positive development for defenders. However, security experts caution that organizations should not become complacent, as some of the patched flaws could be just as dangerous if left unaddressed.
Critical Remote Code Execution in Microsoft Word
Among the most concerning vulnerabilities in this release are four critical remote code execution (RCE) bugs affecting Microsoft Word. Two of these—CVE-2026-40361 and CVE-2026-40364—have been flagged by Microsoft as more likely to be exploited. These flaws can be triggered when an attacker sends a malicious document to a target. Unlike many document-based attacks, exploitation does not require the user to open the file; simply previewing the document in the Preview Pane is enough to compromise the system. This makes the attack vector particularly dangerous in enterprise environments where users often preview emails or attachments without full attention. Patching these vulnerabilities should be a top priority for any organization using Microsoft Office.
The Preview Pane feature in Windows Explorer and Outlook allows users to see the contents of a file without fully opening it. While convenient, it has historically been a source of security risks. By exploiting a memory corruption flaw in Word's parsing engine, an attacker can execute arbitrary code with the privileges of the logged-on user. This could lead to data theft, installation of malware, or lateral movement within a network. The two other Word RCE bugs (CVE-2026-40362 and CVE-2026-40363) are also critical but have been rated as less likely to be exploited in the near term. Nonetheless, a comprehensive patching strategy should cover all four.
Netlogon RCE: A Pre-Auth Domain Controller Threat
Another vulnerability that demands urgent attention is CVE-2026-41089, a stack-based buffer overflow in the Windows Netlogon Remote Protocol. This flaw allows an unauthenticated attacker to send a specially crafted network request to a Windows server acting as a domain controller, potentially leading to remote code execution. Because the vulnerability can be exploited without authentication, it poses a serious risk to Active Directory environments. Historically, similar issues in Netlogon—such as the infamous Zerologon (CVE-2020-1472)—have been used in widespread attacks to compromise domain controllers and gain full network control.
Security researchers emphasize that all domain controllers should be patched in the same maintenance window to avoid leaving part of the forest vulnerable. A half-patched environment can be a weak link. In addition to applying the security update, network administrators are advised to restrict Netlogon traffic at the network layer. Domain controllers typically do not need to accept Netlogon requests from untrusted network segments, so implementing firewall rules can reduce the attack surface. The vulnerability requires no user interaction and can be triggered by sending a malicious packet directly to a vulnerable DC. Given the critical role of domain controllers in authentication and authorization, this patch should be deployed without delay.
Hyper-V Elevation of Privilege: Guest-to-Host Escalation
CVE-2026-40402 is an elevation of privilege (EoP) vulnerability in Microsoft's Hyper-V hypervisor. According to Microsoft, this issue allows a malicious guest virtual machine (VM) to force the host's kernel to read from a memory address chosen by the attacker. Such a capability could potentially set the stage for a guest-to-host escape, giving an attacker full control over the physical host and all other VMs running on it. Although Microsoft rates this vulnerability as less likely to be exploited, the consequences of a successful attack are severe.
Organizations that run multi-tenant virtual desktop infrastructure (VDI), on-premises virtualization with untrusted workloads, or any Hyper-V host that runs guests not fully controlled by the IT team should prioritize this patch. In many cloud environments, a guest-to-host breakout could compromise the entire infrastructure. The vulnerability exists in the Hyper-V kernel component and can be triggered by a carefully crafted set of instructions from within a VM. Patching is the only reliable defense, as there are no known workarounds that completely mitigate the risk. Administrators should also ensure that Hyper-V hosts are isolated from untrusted networks and that VMs are regularly updated.
DNS Client Remote Code Execution: Broad Attack Surface
The final vulnerability that security experts are urging organizations to address is CVE-2026-41096, a remote code execution bug in the Windows DNS Client. The DNS Client runs on virtually every Windows machine—workstations, servers, and even some embedded systems. An attacker who can influence DNS responses, for example through a man-in-the-middle (MitM) position or by compromising a DNS server, can exploit this flaw to execute arbitrary code on the target system without authentication.
The exact configurations that make exploitation possible have not been detailed by Microsoft, but the potential attack surface is enormous. Any Windows host that issues a DNS query could be vulnerable if an attacker controls the resolver or can intercept traffic. In many enterprise networks, internal DNS servers are used to resolve both internal and external names. If an attacker gains a foothold in the network, they could manipulate DNS responses to target other systems. Patching all Windows endpoints and servers is essential. Additionally, securing DNS infrastructure with DNSSEC, segmenting networks to prevent MitM attacks, and monitoring DNS traffic for anomalies can help reduce risk. This vulnerability is a reminder that even foundational network services like DNS can be vectors for sophisticated attacks.
Other Notable Fixes and Broader Implications
Beyond the highlighted vulnerabilities, the May 2026 Patch Tuesday includes fixes for issues in Microsoft Edge, Exchange Server, Windows Kernel, and various other components. While none of these are classified as zero-days, several are rated important and could lead to privilege escalation, spoofing, or information disclosure. Security teams should review the full list of patches and prioritize deployment based on their environment's risk profile.
This month's release also underscores the ongoing challenge of maintaining security in a large ecosystem. With over 120 vulnerabilities patched in a single month, the pace of discovery and remediation is relentless. The absence of zero-days is welcome, but it does not mean that attackers have been idle. Many of the flaws fixed this month could have been discovered by researchers or inadvertently exposed through normal software use. The key takeaway for organizations is to establish a systematic patching process that can rapidly deploy updates, especially for high-risk vulnerabilities like those affecting core infrastructure components.
In recent years, Microsoft has improved its transparency around exploitability and attack vectors through the Exploitability Index and the release of detailed security advisories. This month's patches reflect a continued effort to provide actionable intelligence. However, the responsibility ultimately lies with IT administrators to prioritize updates and ensure that all systems are protected.
As the threat landscape evolves, Patch Tuesday remains a critical lifeline for organizations. The May 2026 release, while free of zero-days, serves as a reminder that even without active exploitation, the potential for damage is high. By addressing the vulnerabilities in Microsoft Word, Netlogon, Hyper-V, and DNS Client first, defenders can significantly reduce their exposure to common attack vectors.
Source: Help Net Security News