Microsoft has released its May 2026 Patch Tuesday update, addressing a substantial number of vulnerabilities across its ecosystem. The company patched more than 120 CVE-numbered security flaws, marking a significant update cycle. Notably, for the first time in many months, none of these vulnerabilities are known to be actively exploited or publicly disclosed prior to the patch. However, security researchers emphasize that several issues require immediate attention due to their potential impact and ease of exploitation.
Critical Vulnerabilities in Microsoft Word
Among the most concerning flaws are four critical remote code execution (RCE) bugs in Microsoft Word. Two of these, tracked as CVE-2026-40361 and CVE-2026-40364, have been assessed by Microsoft as more likely to be exploited. According to Satnam Narang, senior staff research engineer at Tenable, these vulnerabilities are particularly dangerous because an attacker can trigger them simply by sending a malicious document to a target. Even more alarming, exploitation can occur without the victim opening the document—simply previewing it in the Preview Pane is sufficient. This means that users who rely on email preview features are at risk, making immediate patching the most reliable defense.
The two other Word RCE flaws, while not marked as more likely to be exploited, still pose serious threats. Attackers could craft documents that, when opened, execute arbitrary code in the context of the logged-on user. Given the ubiquity of Microsoft Word in enterprise environments, these vulnerabilities have a broad attack surface.
Windows Netlogon Vulnerabilities
Another high-priority flaw is CVE-2026-41089, a stack-based buffer overflow in the Windows Netlogon protocol that can lead to remote code execution. Jason Kikta, CTO at Automox, stresses that this vulnerability should be patched on all domain controllers within the same maintenance window. "Half-patched forests are not a defensible state for a pre-auth DC bug," he warned. The flaw allows an unauthenticated attacker to send a specially crafted network request to a Windows server acting as a domain controller, potentially executing arbitrary code without requiring any prior access or credentials. Aside from patching, Kikta advises restricting Netlogon traffic at the network layer, as domain controllers typically do not need to accept Netlogon requests from arbitrary network segments.
Netlogon has historically been a target for attackers, including the notorious ZeroLogon vulnerability (CVE-2020-1472) which was widely exploited in the wild. While this latest flaw is not considered as severe as ZeroLogon, it still represents a critical risk for organizations relying on Active Directory.
Hyper-V Elevation of Privilege
CVE-2026-40402 is an elevation of privilege vulnerability in Hyper-V, Microsoft's built-in hypervisor. This issue could allow a malicious guest virtual machine to force the host's kernel to read from a memory address chosen by the attacker. Such a read could potentially lead to guest-to-host escalation, enabling an attacker to break out of a virtual machine and compromise the underlying host. Although Microsoft rates this vulnerability as less likely to be exploited, Kikta advises organizations to prioritize patching for multi-tenant virtual desktop infrastructure, on-premises virtualization hosting untrusted workloads, or any Hyper-V environment where guests are not fully controlled. The risk is particularly acute in cloud service environments where multiple tenants share the same physical hardware.
Historically, Hyper-V has been a target for researchers and attackers alike, with past vulnerabilities allowing escape of VMs and even denial-of-service conditions. This patch is crucial for maintaining isolation in virtualized environments.
DNS Client Remote Code Execution
Finally, CVE-2026-41096 is a remote code execution vulnerability in the Windows DNS Client. An attacker who is positioned to influence DNS responses—for example, through a man-in-the-middle (MitM) attack or by operating a rogue DNS server—could send a specially crafted DNS response to a vulnerable Windows system. Under certain configurations, this could allow unauthenticated remote code execution. Dustin Childs, head of threat awareness at Trend Micro's Zero Day Initiative, notes that since the DNS Client runs on virtually every Windows machine, the attack surface is enormous. "An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise," he explained. Kikta reinforces this by advising organizations to patch all Windows servers and endpoints, because any Windows host issuing a DNS query is potentially in scope. This includes every workstation behind a compromised resolver.
The DNS Client vulnerability is particularly concerning because DNS is a foundational protocol used by nearly all network applications. A successful exploit could give an attacker a foothold in the network, from which they could move laterally or exfiltrate data.
Additional Fixes and Context
Beyond these four highlighted vulnerabilities, the May 2026 Patch Tuesday includes fixes for numerous other issues across Microsoft products, including Windows, Office, Exchange, and the Edge browser. Many of these address less critical elevation of privilege or information disclosure flaws that are nonetheless important for maintaining overall security posture. Historically, Patch Tuesday releases have been a cornerstone of Microsoft's security strategy, providing a predictable monthly cadence for updates. However, the volume of patches can be overwhelming for IT teams, making prioritization essential.
The absence of zero-days this month is noteworthy, as recent Patch Tuesdays have often included at least one vulnerability under active attack. This suggests that attackers may be focusing on other vectors or that Microsoft's proactive security measures, such as increased use of static analysis and threat intelligence, are paying off. However, researchers caution that the lack of known exploitation does not mean the flaws are not dangerous; unverified exploits may exist in underground forums.
For organizations, the key takeaway is to prioritize the four critical vulnerabilities described above. Domain controllers running Windows Server should be patched immediately, as should all Word installations. Hyper-V hosts, especially those with untrusted guests, need urgent attention. DNS Client updates should be deployed broadly across all Windows clients and servers. Microsoft has provided detailed security advisories for each CVE, including workarounds where available.
In addition to patching, security teams should consider network segmentation and monitoring for suspicious DNS traffic or unusual Netlogon requests. Multi-factor authentication and least-privilege principles remain essential complementary defenses. As always, testing patches in a staging environment before broad deployment is recommended to avoid compatibility issues.
Looking ahead, organizations should prepare for the June release expected next month. With the cybersecurity landscape constantly evolving, staying current on patches is one of the most effective ways to reduce risk. The May 2026 update demonstrates that even without zero-days, there are numerous high-severity flaws that require immediate attention.
Source: Help Net Security News