CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft May 2026 Patch Tuesday addresses 120 vulnerabilities without disclosed zero-days

First reported
Last updated
1 unique sources, 2 articles

Summary

Hide ▲

Microsoft’s May 2026 Patch Tuesday released fixes for 120 vulnerabilities across its ecosystem, including 17 Critical flaws, with no zero-days disclosed. The updates, delivered via Windows 11 cumulative updates KB5089549 and KB5087420 for versions 23H2, 24H2, and 25H2, addressed remote code execution (RCE), elevation of privilege (EoP), information disclosure, denial of service (DoS), and spoofing vulnerabilities in Windows, Office, Word, Excel, SharePoint, and the DNS Client. The remediation effort excluded patches for Microsoft Mariner, Azure, Copilot, Teams, Partner Center, and 131 Google Chromium-based Edge flaws addressed separately by Google. Notable fixes included CVE-2026-35421 (Windows GDI RCE via malicious EMF files), CVE-2026-40365 (SharePoint Server RCE), and CVE-2026-41096 (Windows DNS Client RCE). While the primary focus was security, the updates also introduced non-security improvements such as Xbox mode integration, expanded File Explorer archive support, haptic feedback for input devices, and enhanced batch file security controls.

Timeline

  1. 12.05.2026 21:08 2 articles · 2h ago

    Microsoft May 2026 Patch Tuesday addresses 120 vulnerabilities with no disclosed zero-days

    On May 12, 2026, Microsoft released security updates resolving 120 vulnerabilities in its products. The update includes 17 Critical flaws, primarily RCE vulnerabilities in Windows, Office, Word, Excel, SharePoint, and the DNS Client. No zero-days were disclosed in this cycle. Administrators were advised to prioritize updates for Office applications due to RCE risks via malicious files and the preview pane. The release was delivered via Windows 11 cumulative updates KB5089549 (versions 25H2/24H2) and KB5087420 (version 23H2), which updated build numbers to 26200.8457 (25H2), 26100.8457 (24H2), and 22631.7079 (23H2). The updates also introduced non-security enhancements including Xbox mode integration, expanded File Explorer archive support (uu, cpio, xar, NuGet), haptic feedback for compatible input devices, and enhanced security controls for batch file processing via registry/policy settings.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft March and April 2026 Patch Tuesdays Address Multiple Zero-Days and Critical Flaws

Microsoft’s multi-month Patch Tuesday campaign continues with the April 2026 release addressing 167 security vulnerabilities in Windows and related software, including two actively exploited zero-days (CVE-2026-32201 in SharePoint Server and CVE-2026-33825 in Microsoft Defender). Nearly 60% of the patched flaws are elevation-of-privilege bugs, marking the highest proportion in eight months, while eight Critical vulnerabilities were addressed, including unauthenticated remote code execution flaws in Windows IKE Service Extensions (CVE-2026-33824, CVSS 9.8) and secure tunneling components (CVE-2026-33827, CVSS 8.1). Following the April updates, threat actors are now exploiting two additional unpatched Microsoft Defender zero-days—RedSun and UnDefend—alongside the patched CVE-2026-33825 (BlueHammer). Exploitation activity has been observed since April 10, 2026, with RedSun and UnDefend PoCs deployed on April 16, 2026, featuring hands-on-keyboard techniques such as whoami /priv, cmdkey /list, and net group commands. Huntress confirmed real-world exploitation and took steps to isolate compromised systems to prevent post-exploitation damage. Threat actors have also been observed chaining these flaws with other vulnerabilities to achieve full endpoint control. Microsoft issued out-of-band emergency patches for CVE-2026-40372, a critical ASP.NET Core privilege escalation vulnerability in the ASP.NET Core Data Protection cryptographic APIs. The flaw enables unauthenticated attackers to gain SYSTEM privileges by forging authentication cookies, stemming from a regression in Microsoft.AspNetCore.DataProtection 10.0.0-10.0.6 packages. Microsoft recommends updating to version 10.0.7 and rotating the DataProtection key ring to fully remediate. The April updates were distributed through Windows 11 cumulative updates KB5083769 (for versions 25H2/24H2) and KB5082052 (for 23H2), changing build numbers to 26200.8246 (25H2), 26100.8246 (24H2), and 22631.6936 (23H2). Windows 10 Enterprise LTSC and ESU participants received the April fixes via KB5082200, updating to build 19045.7184 (Windows 10) or 19044.7184 (Windows 10 Enterprise LTSC 2021).

Open in new tab

Microsoft to Enable Windows Hotpatch Security Updates by Default

Microsoft will enable hotpatch security updates by default for eligible Windows devices managed through Microsoft Intune and the Microsoft Graph API, starting with the May 2026 Windows security update. This change aims to halve the time to reach 90% patch compliance, reducing the window of exposure to attacks. The updates will be delivered through Windows Autopatch, which automatically keeps Windows and Microsoft 365 software up to date. IT administrators will have the option to disable hotpatch updates at the tenant level and enable them for specific devices. Organizations can opt out of hotpatch updates using controls in Microsoft Intune, which will be available starting April 1, 2026.

Open in new tab

Microsoft February 2026 Patch Tuesday Addresses 6 Zero-Days and 59 Flaws

Microsoft's February 2026 Patch Tuesday addresses 59 vulnerabilities, including 6 actively exploited zero-days and 3 publicly disclosed flaws. The updates include fixes for 5 critical vulnerabilities, with three being security feature bypass flaws in various Microsoft products. The zero-days span components such as Windows Shell, MSHTML Framework, Microsoft Word, Desktop Window Manager, Windows Remote Access Connection Manager, and Windows Remote Desktop Services. Microsoft issued an out-of-band patch for one of the zero-days, CVE-2026-21514, highlighting its urgency. The updates also cover a range of other vulnerabilities, including elevation of privilege, security feature bypass, remote code execution, information disclosure, denial of service, and spoofing flaws. Additionally, Microsoft has begun rolling out updated Secure Boot certificates to replace expiring 2011 certificates. Other vendors, including Adobe, BeyondTrust, CISA, Cisco, Fortinet, Google, n8n, and SAP, have also released security updates or advisories.

Open in new tab