Microsoftβs May 2026 Patch Tuesday addresses 120 vulnerabilities across Windows, Office, SharePoint, the Windows DNS Client, and dozens of other components β a significant workload for security teams entering the mid-year patching cycle. Whilst the absence of actively exploited zero-days may lower the perceived urgency of this release, the presence of wormable network-facing RCEs means defenders who delay beyond this week are taking on measurable risk.
What Was Patched
Of the 120 CVEs addressed, 17 are rated Critical, 61 are Elevation of Privilege (EoP) flaws, and 14 are Remote Code Execution (RCE) vulnerabilities. The breakdown reveals the extent of the Windows attack surface: kernel components, networking stacks, graphics subsystems, collaboration platforms, and productivity software are all represented.
The most significant entries in this release:
- CVE-2026-41096 β Windows DNS Client RCE. An attacker controlling a DNS server can send a crafted DNS response that corrupts memory on any Windows system resolving through it. No user interaction required beyond standard DNS activity. Network-based exploitation without authentication makes this a candidate for rapid weaponisation.
- CVE-2026-40365 β SharePoint Server RCE. Authenticated network exploitation enabling code execution on SharePoint infrastructure. Any environment with SharePoint accessible to internal users β which is most enterprise deployments β is in scope.
- CVE-2026-35421 β Windows GDI RCE via crafted EMF files. Exploitation via document or image delivery; relevant to any organisation receiving external files by email or shared storage.
The May updates apply to Windows 10 (KB5087544), Windows 11 22H2/23H2 (KB5089549), Windows 11 24H2 (KB5087420), and Windows Server 2019 through 2025.
Why It Matters
The absence of zero-days does not reduce the operational significance of this release. Threat actors routinely reverse-engineer patches within 24 to 72 hours of release β a pattern consistently documented by CISA, Google Project Zero, and multiple incident response firms. The DNS Client vulnerability has characteristics that invite rapid adaptation: it is network-accessible, requires no authentication, and affects all supported Windows versions.
The 61 EoP vulnerabilities represent a secondary concern. In post-exploitation workflows, EoP bugs are the currency of lateral movement and persistence. An attacker who gains a low-privilege foothold via phishing or another initial access vector can chain an unpatched EoP to reach SYSTEM or domain-level access.
This release also coincides with May patch cycles from SAP, Fortinet, AMD, and Adobe β meaning security teams face a multi-vendor patching sprint across a single week.
Recommended Actions
- Within 24 hours: Apply May updates to all internet-facing Windows Server instances and DNS infrastructure. Prioritise CVE-2026-41096 on DNS resolvers and any system that receives externally-sourced DNS responses.
- Within 48 hours: Patch SharePoint Server farms, particularly those accessible from broader network segments or external partner networks.
- This week: Roll out updates to all Windows endpoints via WSUS or Intune. Validate that Windows GDI (CVE-2026-35421) patches have applied to user-facing endpoints handling external email attachments.
- Ongoing: Monitor Microsoft MSRC and CISA KEV for any of this monthβs CVEs entering active exploitation. A zero-day-free Patch Tuesday does not mean exploitation-free by month end.
Broader Context
May 2026βs release continues a pattern of high-volume Patch Tuesdays β the third consecutive month with over 100 CVEs addressed. Security teams managing large Windows estates are under sustained patching pressure with limited relief. Prioritisation frameworks that go beyond CVSS score β specifically those that weight attack vector, authentication requirements, and prevalence in enterprise environments β are increasingly necessary to avoid patch-fatigue-driven gaps.
Share this article