Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)

16Critical102Important0Moderate0LowMicrosoft addresses 118 CVEs in its May 2026 Patch Tuesday release, with no zero-days exploited in the wild or publicly disclosed for the first time since June 2024.Microsoft patched 118 CVEs in its May 2026 Patch Tuesday release, with 16 rated critical and 102 rated as important. Our counts omitted CVE-2025-54518, an AMD CPU OP Cache Corruption vulnerability issued by AMD.This month’s update includes patches for:.NETASP.NET CoreAzure AI Foundry M365 published agentsAzure Cloud ShellAzure Connected Machine AgentAzure DevOpsAzure Entra IDAzure Logic AppsAzure Machine LearningAzure Managed Instance for Apache CassandraAzure Monitor AgentAzure Notification ServiceAzure SDKCopilot Chat (Microsoft Edge)Data DeduplicationDynamics Business CentralGitHub Copilot and Visual StudioM365 CopilotM365 Copilot for DesktopMicrosoft Data FormulatorMicrosoft Dynamics 365 (on-premises)Microsoft Dynamics 365 Customer InsightsMicrosoft Edge (Chromium-based)Microsoft Edge for AndroidMicrosoft OfficeMicrosoft Office Click-To-RunMicrosoft Office ExcelMicrosoft Office PowerPointMicrosoft Office SharePointMicrosoft Office WordMicrosoft Partner CenterMicrosoft SSO Plugin for Jira & ConfluenceMicrosoft TeamsMicrosoft Windows DNSPower AutomateSQL ServerTelnet ClientVisual Studio CodeWindows Admin CenterWindows Ancillary Function Driver for WinSockWindows Application Identity (AppID) SubsystemWindows Cloud Files Mini Filter DriverWindows Common Log File System DriverWindows Cryptographic ServicesWindows DWM Core LibraryWindows Event Logging ServiceWindows Filtering Platform (WFP)Windows GDIWindows Hyper-VWindows Internet Key Exchange (IKE) ProtocolWindows KernelWindows Kernel-Mode DriversWindows LDAP - Lightweight Directory Access ProtocolWindows Link-Layer Discovery Protocol (LLDP)Windows Message QueuingWindows Native WiFi Miniport DriverWindows NetlogonWindows Print Spooler ComponentsWindows Projected File SystemWindows Remote DesktopWindows Rich Text EditWindows Rich Text Edit ControlWindows SMB ClientWindows Secure BootWindows Storage Spaces ControllerWindows Storport Miniport DriverWindows TCP/IPWindows Telephony ServiceWindows Volume Manager Extension DriverWindows Win32K - GRFXWindows Win32K - ICOMPElevation of Privilege (EoP) vulnerabilities accounted for 48.3% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 24.6%.CriticalCVE-2026-41103 | Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege VulnerabilityCVE-2026-41103 is an elevation of privilege vulnerability affecting Microsoft Single-Sign-On (SSO) Plugin for Jira & Confluence. It was assigned a CVSSv3 score of 9.1 and is rated as critical. It was assessed as "Exploitation More Likely" according to Microsoft's Exploitability Index. An unauthorized attacker could exploit this vulnerability during the process of logging in by sending a specially crafted response message. Successful exploitation would allow the attacker to sign-in using a forged identity without Microsoft Entra ID authentication, enabling access to or allowing an attacker to modify data in Jira and Confluence. However, the accessible information is not unfettered, as it is limited by the access defined by the targeted servers for the authorized user.ImportantCVE-2026-33841, CVE-2026-35420, CVE-2026-40369 | Windows Kernel Elevation of Privilege VulnerabilitiesCVE-2026-33841, CVE-2026-35420 and CVE-2026-40369 are EoP vulnerabilities affecting the Windows Kernel. Each of the flaws have been assigned CVSSv3 scores of 7.8 and rated as important. Both CVE-2026-33841 and CVE-2026-40369 were assessed as "Exploitation More Likely," which could be abused by a local attacker to elevate to SYSTEM or Medium/High integrity level in the case of CVE-2026-33841. Including these three EoPs, there have been 13 disclosed Windows Kernel EoP vulnerabilities addressed so far in 2026.CriticalCVE-2026-40361, CVE-2026-40364, CVE-2026-40366 and CVE-2026-40367 | Microsoft Word Remote Code Execution VulnerabilitiesCVE-2026-40361, CVE-2026-40364, CVE-2026-40366 and CVE-2026-40367 RCE vulnerabilities affecting Microsoft Word. Each of these RCEs were assigned CVSSv3 scores of 8.4 and rated as critical, though CVE-2026-40361 and CVE-2026-40364 were the only ones assessed to be “Exploitation More Likely.” An attacker could exploit these flaws through social engineering by sending the malicious file to an intended target. Successful exploitation would grant code execution privileges to the attacker. Additionally, Microsoft notes that the Preview Pane is an attack vector for each of these vulnerabilities.CriticalCVE-2026-41089 | Windows Netlogon Remote Code Execution VulnerabilityCVE-2026-41089 is a RCE vulnerability affecting Windows Netlogon, a Windows Server process used for authentication within a domain. It was assigned a CVSSv3 score of 9.8 and rated as critical. A remote, unauthenticated attacker could exploit this flaw by sending a crafted network request to a Windows server running as a domain controller. This packet could exploit a stack-based buffer overflow flaw, allowing the attacker to execute code on an affected system. Despite the critical severity and near perfect CVSSv3 score, this flaw was assessed by Microsoft as “Exploitation Less Likely.”Tenable SolutionsA list of all the plugins released for Microsoft’s May 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.Get more informationMicrosoft's May 2026 Security UpdatesTenable plugins for Microsoft May 2026 Patch Tuesday Security UpdatesJoin Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.