May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs

Microsoft has addressed 130 vulnerabilities in its May 2026 security update release, fewer than April’s 164 vulnerabilities. This month's patches include fixes for 30 Critical vulnerabilities, along with 100 additional vulnerabilities of varying severity levels.

May 2026 Risk Analysis

This month's leading risk types by exploitation technique are elevation of privilege with 61 patches (47%), remote code execution (RCE) with 31 patches (24%), and information disclosure with 15 (11%).

Critical Vulnerability in Azure DevOps

CVE-2026-42826 is a Critical information disclosure vulnerability affecting Azure DevOps and has a CVSS score of 10. This vulnerability allows unauthenticated remote attackers to disclose sensitive information over a network through an exposure of sensitive information flaw (CWE-200). Microsoft has proactively remediated this vulnerability within the cloud infrastructure without requiring any customer intervention.

Critical Vulnerabilities in Azure Managed Instance for Apache Cassandra

CVE-2026-33109 and CVE-2026-33844 are Critical RCE vulnerabilities affecting Azure Managed Instance for Apache Cassandra, with CVSS scores of 9.9 and 9.0, respectively. Azure Managed Instance for Apache Cassandra is a fully managed cloud service for deploying and scaling Apache Cassandra clusters; RCE vulnerabilities in this service could allow attackers to compromise sensitive data workloads and underlying infrastructure.

An improper access control flaw (CVE-2026-33109) allows low-privileged remote attackers to execute arbitrary code with no user interaction required. An improper input validation flaw (CVE-2026-33844) similarly allows low-privileged remote attackers to execute code, though user interaction is required. Microsoft has proactively remediated these vulnerabilities within its cloud infrastructure without requiring any customer intervention.

Critical Vulnerability in Microsoft Dynamics 365 On-Premises

CVE-2026-42898 is a Critical RCE vulnerability affecting Microsoft Dynamics 365 (on-premises) and has a CVSS score of 9.9. A code injection flaw (CWE-94) allows any authenticated remote attacker to execute code over a network with no user interaction required. An attacker could exploit this by modifying the saved state of a process session in Dynamics CRM and triggering the system to process that data, causing the server to unintentionally execute malicious code. An official fix is available for customers to deploy.

Critical Vulnerability in Windows Netlogon

CVE-2026-41089 is a Critical RCE vulnerability affecting Windows Netlogon and has a CVSS score of 9.8. A stack-based buffer overflow flaw (CWE-121) allows unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could send a specially crafted network request to a Windows server running as a domain controller, causing the Netlogon service to improperly handle the request and execute malicious code without requiring any prior access or credentials. An official fix is available for customers to deploy.

Critical Vulnerability in Windows DNS Client

CVE-2026-41096 is a Critical RCE vulnerability affecting the Windows DNS Client and has a CVSS score of 9.8. A heap-based buffer overflow flaw (CWE-122) allows unauthenticated remote attackers to execute code with no user interaction and low attack complexity. An attacker could send a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory, potentially enabling RCE without authentication. 

While the Windows DNS Client is present on virtually all Windows workstations and servers, practical exploitation requires an attacker to be in a position to intercept or respond to a system's DNS requests, such as through DNS spoofing, a rogue DNS server, or a machine-in-the-middle position on the network, which represents a meaningful prerequisite to exploitation. An official fix is available for customers to deploy.

Critical Vulnerability in Microsoft Teams Events Portal

CVE-2026-33823 is a Critical information disclosure vulnerability affecting the Microsoft Teams Events Portal and has a CVSS score of 9.6. An improper authorization flaw (CWE-285) allows low-privileged remote attackers to disclose sensitive information over a network with no user interaction and low attack complexity. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Critical Spoofing Vulnerability in Azure Cloud Shell

CVE-2026-35428 is a Critical spoofing vulnerability affecting Azure Cloud Shell and has a CVSS score of 9.6. A command injection flaw (CWE-77) allows unauthenticated remote attackers to perform spoofing over a network. The vulnerability requires user interaction and has a changed scope with high confidentiality, integrity, and availability impact. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Critical Spoofing Vulnerability in Microsoft Enterprise Security Token Service 

CVE-2026-40379 is a Critical spoofing vulnerability affecting Microsoft Enterprise Security Token Service (ESTS) and has a CVSS score of 9.3. An exposure of sensitive information flaw (CWE-200) in Azure Entra ID allows unauthenticated remote attackers to perform spoofing over a network. ESTS is the underlying token issuance infrastructure for Microsoft Entra ID (formerly Azure AD), responsible for authenticating users and issuing security tokens across Microsoft cloud services. A spoofing vulnerability here could allow attackers to impersonate users or services across any platform relying on Entra ID authentication. 

The vulnerability requires user interaction and has a changed scope with high confidentiality and integrity impact. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Critical Elevation of Privilege Vulnerability in Windows Hyper-V

CVE-2026-40402 is a Critical elevation of privilege vulnerability affecting Windows Hyper-V and has a CVSS score of 9.3. A use-after-free flaw (CWE-416) allows a low-privileged guest VM to elevate privileges and gain access to the Hyper-V host environment. A guest VM could exploit this by forcing the Hyper-V host's kernel to read from an arbitrary address, potentially allowing the attacker to traverse the guest's security boundary. In most circumstances, this would result in a denial of service of the host; however, exploitation could also trigger hardware device-specific side effects that may further compromise host security. An official fix is available for customers to deploy.

Critical Elevation of Privilege Vulnerability in Microsoft SSO Plugin for Jira and Confluence

CVE-2026-41103 is a Critical elevation of privilege vulnerability affecting the Microsoft SSO Plugin for Jira and Confluence and has a CVSS score of 9.1. An incorrect implementation of an authentication algorithm (CWE-303) allows unauthenticated remote attackers to elevate privileges with no user interaction and low attack complexity. The Microsoft SSO Plugin enables organizations to use Microsoft Entra ID as an identity provider for Atlassian Jira and Confluence; an authentication bypass in this plugin could allow attackers to impersonate users across these platforms. 

An attacker could send a specially crafted single sign-on (SSO) response during the login process to forge an identity, bypassing Microsoft Entra ID authentication entirely and gaining unauthorized access to Jira or Confluence with the permissions of the compromised account. An official fix is available for customers to deploy.

Critical Spoofing Vulnerability in Azure Machine Learning Notebook

CVE-2026-32207 is a Critical spoofing vulnerability affecting Azure Machine Learning Notebook and has a CVSS score of 8.8. A cross-site scripting flaw (CWE-79) allows unauthenticated remote attackers to perform spoofing over a network. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Critical RCE Vulnerability in Windows Graphics Device Interface

CVE-2026-35421 is a Critical RCE vulnerability affecting Windows Graphics Device Interface (GDI) and has a CVSS score of 7.8. GDI is a core Windows component responsible for rendering graphics and formatted text to display and print devices; it natively processes Enhanced Metafile (EMF) files, a Windows graphics format used to store vector and bitmap image data. A heap-based buffer overflow flaw (CWE-122) allows unauthenticated attackers to execute code locally on a target system. Exploitation requires a user to open a specially crafted EMF file in Microsoft Paint. An official fix is available for customers to deploy.

Critical RCE Vulnerability in Windows Native WiFi Miniport Driver

CVE-2026-32161 is a Critical RCE vulnerability affecting the Windows Native WiFi Miniport Driver and has a CVSS score of 7.5. The Windows Native WiFi Miniport Driver is the kernel-level driver responsible for managing wireless network connections on Windows systems. A race condition flaw (CWE-362) allows unauthenticated attackers on an adjacent network to execute code with no user interaction. The attack is limited to systems on the same network segment as the attacker and cannot be performed across multiple networks. Exploitation requires specific network configurations and timing conditions, making it unreliable across all environments and contributing to the high attack complexity rating. An official fix is available for customers to deploy.

Critical Vulnerability in Windows Graphics Component

CVE-2026-40403 is a Critical RCE vulnerability affecting the Windows Graphics Component and has a CVSS score of 8.8. A heap-based buffer overflow flaw (CWE-122) in Windows Win32K - GRFX could allow an authorized attacker to execute arbitrary code locally. Any authenticated attacker could trigger this vulnerability without requiring admin or elevated privileges. An attacker could exploit this vulnerability by gaining access to a local guest VM in order to attack the host OS. Successful exploitation could also lead to a contained execution environment escape. An official fix is available for customers to deploy.

Critical Vulnerability in Microsoft SharePoint Server

CVE-2026-40365 is a Critical RCE vulnerability affecting Microsoft SharePoint Server and has a CVSS score of 8.8. An insufficient granularity of access control flaw (CWE-1220) in Microsoft SharePoint could allow an authorized attacker to execute arbitrary code over a network. In a network-based attack, an authenticated attacker with at least Site Owner permissions could inject and execute arbitrary code remotely on the SharePoint Server. An official fix is available for customers to deploy.

Critical Vulnerability in Azure AI Foundry

CVE-2026-35435 is a Critical elevation of privilege vulnerability affecting Azure AI Foundry and has a CVSS score of 8.6. An improper access control flaw (CWE-284) in Azure AI Foundry M365 published agents could allow an unauthorized remote attacker to elevate their privileges over a network. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Critical Vulnerabilities in Microsoft Word

CVE-2026-40367, CVE-2026-40364, CVE-2026-40366, and CVE-2026-40361 are Critical RCE vulnerabilities in Microsoft Word, all with a CVSS score of 8.4. These vulnerabilities allow unauthorized attackers to execute arbitrary code locally through an untrusted pointer dereference flaw (CVE-2026-40367), a type confusion flaw (CVE-2026-40364), and use-after-free flaws (CVE-2026-40366, CVE-2026-40361). The Preview Pane is an attack vector for all four vulnerabilities. Official fixes are available for customers to deploy.

Critical Vulnerability in Microsoft Partner Center

CVE-2026-34327 is a Critical spoofing vulnerability affecting Microsoft Partner Center and has a CVSS score of 8.2. An externally controlled reference to a resource in another sphere flaw (CWE-610) could allow an unauthorized remote attacker to perform spoofing over a network. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Critical Vulnerability in Azure Monitor Action Group Notification System

CVE-2026-41105 is a Critical elevation of privilege vulnerability affecting the Azure Monitor Action Group notification system and has a CVSS score of 8.1. A server-side request forgery (SSRF) flaw (CWE-918) in the Azure Notification Service could allow an authorized remote attacker to elevate their privileges over a network. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Critical Vulnerabilities in Microsoft Office

CVE-2026-40358 and CVE-2026-40363 are Critical remote code execution vulnerabilities in Microsoft Office, both with a CVSS score of 8.4. These vulnerabilities allow unauthorized attackers to execute arbitrary code locally through a use-after-free flaw (CVE-2026-40358) and a heap-based buffer overflow flaw (CVE-2026-40363). The Preview Pane is an attack vector for both vulnerabilities. Official fixes are available for customers to deploy.

Critical Vulnerability in Microsoft Office for Mac

CVE-2026-42831 is a Critical remote code execution vulnerability in Microsoft Office LTSC for Mac 2021 and has a CVSS score of 7.8. A heap-based buffer overflow flaw (CWE-122) could allow an unauthorized attacker to execute arbitrary code locally. The Preview Pane is not an attack vector; exploitation requires an attacker to convince a user to open a specially crafted malicious Office file. An official fix is available for customers to deploy.

Critical Vulnerability in Microsoft Dynamics 365 Customer Insights

CVE-2026-33821 is a Critical elevation of privilege vulnerability affecting Microsoft Dynamics 365 Customer Insights and has a CVSS score of 7.7. An improper privilege management flaw (CWE-269) could allow an authorized remote attacker to elevate their privileges over a network. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Critical Vulnerabilities in M365 Copilot

CVE-2026-26129 and CVE-2026-26164 are Critical information disclosure vulnerabilities affecting Microsoft 365 Copilot's Business Chat, both with a CVSS score of 7.5. These vulnerabilities allow unauthorized remote attackers to disclose sensitive information over a network through improper neutralization of special elements (CVE-2026-26129) and improper neutralization of special elements in output used by a downstream component (CVE-2026-26164) in M365 Copilot. Microsoft has proactively remediated these vulnerabilities within its cloud infrastructure without requiring any customer intervention.

Critical Vulnerability in Copilot Chat (Microsoft Edge)

CVE-2026-33111 is a Critical information disclosure vulnerability affecting Copilot Chat in Microsoft Edge and has a CVSS score of 7.5. A command injection flaw (CWE-77) in Copilot Chat could allow an unauthorized remote attacker to disclose sensitive information over a network through improper neutralization of special elements used in a command. Microsoft has proactively remediated this vulnerability within its cloud infrastructure without requiring any customer intervention.

Patch Tuesday Dashboard in the Falcon Platform

For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization's methods for cybersecurity and improve your overall security posture.

Learn More

The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article. 

Additional Resources

• Fal.Con 2026 registration is now open. Join us in Las Vegas to explore what’s next in cybersecurity.
• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• Learn how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. 
• Make prioritization painless and efficient. Watch how Falcon Exposure Management enables IT staff to improve visibility with custom filters and team dashboards.
• Find out how CrowdStrike Falcon® Next-Gen Identity Security products can stop workforce identity threats faster. 
• Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent™.