Microsoft and Adobe Patch Tuesday, May 2026 Security Update Review

Microsoft Patch Tuesday forMay2026
Adobe Patches for May 2026
Critical Severity Vulnerabilities Patched inMayPatch Tuesday Edition
Other Microsoft Vulnerability Highlights
Microsoft Release Summary
Qualys Monthly Webinar Series

May 2026’s Patch Tuesday arrives with Microsoft addressing a fresh set of vulnerabilities across its ecosystem, reinforcing the ongoing need for timely patching in an increasingly threat-heavy landscape. Here’s a quick breakdown of what you need to know.

Microsoft Patch Tuesday for May 2026

This month’s release addresses 137 vulnerabilities, including 30 critical and 103 important-severity vulnerabilities.

In this month’s updates, Microsoft has not addressed any publicly disclosed zero-day vulnerability.

Microsoft has addressed 128 vulnerabilities in Microsoft Edge (Chromium-based) that were patched earlier this month.

Microsoft Patch Tuesday, May edition, includes updates for vulnerabilities in Windows Hyper-V, .NET, M365 Copilot, Windows GDI, Windows Internet Key Exchange (IKE) Protocol, Windows Kernel, Visual Studio Code, Windows Message Queuing, Azure Connected Machine Agent, Windows Common Log File System Driver, Windows Remote Desktop, and more.

This month’s release includes fixes for several high-severity issues that could potentially enable remote code execution, privilege escalation, or denial-of-service attacks. As always, timely patch deployment is crucial to reduce exposure and ensure systems remain resilient against exploitation attempts.

The May 2026 Microsoft vulnerabilities are classified as follows:

Vulnerability Category	Quantity	Severities
Spoofing Vulnerability	15	Critical: 4 Important: 11
Denial of Service Vulnerability	8	Critical: 8
Elevation of Privilege Vulnerability	61	Critical: 5 Important: 56
Information Disclosure Vulnerability	15	Critical: 5 Important: 10
Remote Code Execution Vulnerability	31	Critical: 16 Important: 15
Security Feature Bypass Vulnerability	6	Important: 6

Adobe Patches for May 2026

Adobe has released 10 security advisories to address 52 vulnerabilities in Adobe Premiere Pro, Adobe Media Encoder, Adobe After Effects, Adobe Commerce, Adobe Connect, Adobe Illustrator, Adobe Substance 3D Designer, Content Credentials SDK, Adobe Substance 3D Sampler, and Adobe Substance 3D Painter. 27 of these vulnerabilities are rated critical. Successful exploitation of these vulnerabilities may lead to privilege escalation, Security feature bypass, arbitrary file system read, application denial-of-service, and arbitrary code execution.

Critical Severity Vulnerabilities Patched in May Patch Tuesday Edition

CVE-2026-40364: Microsoft Word Remote Code Execution Vulnerability

A type confusion vulnerability in Microsoft Word may allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-41089: Windows Netlogon Remote Code Execution Vulnerability

A stack-based buffer overflow vulnerability in Windows Netlogon could allow an unauthenticated attacker to execute code over the network. An attacker may exploit the vulnerability by sending a specially crafted network request to a Windows server that is acting as a domain controller.

CVE-2026-40361 & CVE-2026-40366: Microsoft Word Remote Code Execution Vulnerability

A use-after-free vulnerability in Microsoft Word may allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-41103: Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability

Incorrect implementation of the authentication algorithm in the Microsoft SSO Plugin for Jira & Confluence may allow an unauthenticated attacker to elevate their privileges across the network. An attacker could exploit this vulnerability by sending a specially crafted SSO response during the login process that tricks the system into accepting a forged identity. This could allow the attacker to sign in without authenticating the user through Microsoft Entra ID.

CVE-2026-35421: Windows GDI Remote Code Execution Vulnerability

A heap-based buffer overflow vulnerability in Windows GDI could allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-40363 & CVE-2026-42831: Microsoft Office Remote Code Execution Vulnerability

A heap-based buffer overflow vulnerability in Microsoft Office may allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-41096: Windows DNS Client Remote Code Execution Vulnerability

A heap-based buffer overflow vulnerability in Microsoft Windows DNS may allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-32161: Windows Native WiFi Miniport Driver Remote Code Execution Vulnerability

A race condition in the Windows Native WiFi Miniport Driver could allow an unauthenticated attacker to execute code over an adjacent network.

CVE-2026-40358: Microsoft Office Remote Code Execution Vulnerability

A use-after-free vulnerability in Microsoft Office could allow an unauthenticated attacker to execute arbitrary code remotely.

CVE-2026-40365: Microsoft SharePoint Server Remote Code Execution Vulnerability

An insufficient access-control granularity flaw in Microsoft Office SharePoint Server allows an authenticated attacker to execute arbitrary code remotely.

CVE-2026-40367: Microsoft Word Remote Code Execution Vulnerability

A pointer dereference vulnerability in Microsoft Word allows an unauthenticated attacker to execute code locally.

CVE-2026-40402: Windows Hyper-V Elevation of Privilege Vulnerability

A use-after-free vulnerability in Windows Hyper-V may allow an unauthenticated attacker to elevate local privileges. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.

CVE-2026-40403: Windows Graphics Component Remote Code Execution Vulnerability

A heap-based buffer overflow vulnerability in Windows Win32K – GRFX may allow an authenticated attacker to execute code locally.

CVE-2026-42898: Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

A code-injection vulnerability in Microsoft Dynamics 365 (on-premises) may allow an authenticated attacker to execute code over the network.

CVE-2026-33821: Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability

An improper privilege management flaw in Microsoft Dynamics 365 Customer Insights could allow an authenticated attacker to elevate their privileges across a network.

CVE-2026-42826: Azure DevOps Information Disclosure Vulnerability

Exposing sensitive information to an unauthenticated actor in Azure DevOps may allow an attacker to disclose it over a network.

CVE-2026-35428: Azure Cloud Shell Spoofing Vulnerability

A command injection vulnerability in Azure Cloud Shell could allow an unauthenticated attacker to perform network spoofing.

CVE-2026-35435: Azure AI Foundry Elevation of Privilege Vulnerability

An improper access-control flaw in Azure AI Foundry M365 published agents could allow an unauthenticated attacker to elevate their privileges across the network.

CVE-2026-34327: Microsoft Partner Center Spoofing Vulnerability

An externally controlled reference to a resource in another sphere in Microsoft Partner Center could allow an unauthenticated attacker to perform network spoofing.

CVE-2026-33844: Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

An improper input validation flaw in Azure Managed Instance for Apache Cassandra may allow an authenticated attacker to execute code over a network.

CVE-2026-33823: Microsoft Team Events Portal Information Disclosure Vulnerability

An improper authentication flaw in Microsoft Teams may allow an authenticated attacker to disclose information over a network.

CVE-2026-32207: Azure Machine Learning Notebook Spoofing Vulnerability

A cross-site scripting vulnerability in Azure Machine Learning could allow an unauthenticated attacker to perform network spoofing.

CVE-2026-40379: Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability

Exposing sensitive information to an unauthenticated actor in Azure Entra ID could allow an unauthenticated attacker to perform network spoofing.

CVE-2026-33109: Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability

An improper access control in Azure Managed Instance for Apache Cassandra may allow an authenticated attacker to execute code over a network.

CVE-2026-33111: Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability

A command injection vulnerability in Copilot Chat (Microsoft Edge) may allow an unauthenticated attacker to disclose information over a network.

CVE-2026-41105: Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability

A server-side request forgery vulnerability in Azure Notification Service may allow an authenticated attacker to elevate their privileges across the network.

CVE-2026-26129 & CVE-2026-26164: M365 Copilot Information Disclosure Vulnerability

An improper neutralization of special elements in M365 Copilot may allow an unauthenticated attacker to disclose information over a network.

Other Microsoft Vulnerability Highlights

CVE-2026-33840 is an elevation of privilege vulnerability in Win32k. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2026-33841 is an elevation of privilege vulnerability in the Windows Kernel. The heap-based buffer overflow vulnerability may allow an authenticated attacker to elevate local privileges.
CVE-2026-35416 is an elevation of privilege vulnerability in the Windows Ancillary Function Driver for WinSock. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-35417 is an elevation of privilege vulnerability in the Windows Win32k. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2026-33837 is an elevation of privilege vulnerability in Windows TCP/IP. The heap-based buffer overflow vulnerability may allow an authenticated attacker to elevate privileges locally.
CVE-2026-33835 is an elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2026-40369 is an elevation of privilege vulnerability in the Windows Kernel. Successful exploitation of the vulnerability may allow an attacker to gain SYSTEM privileges.
CVE-2026-40397 is an elevation of privilege vulnerability in the Windows Common Log File System Driver. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2026-40398 is an elevation of privilege vulnerability in the Windows Remote Desktop Services. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.

Microsoft Release Summary

This month’s release notes cover multiple Microsoft product families and products/versions affected, including, but not limited to, Windows Rich Text Edit, Windows Native WiFi Miniport Driver, Windows Rich Text Edit Control, Microsoft Teams, Azure Monitor Agent, Azure Machine Learning, Windows Filtering Platform (WFP), Azure Managed Instance for Apache Cassandra, Microsoft Office SharePoint, Copilot Chat (Microsoft Edge), Azure SDK, Microsoft Dynamics 365 Customer Insights, Windows Event Logging Service, Windows Cloud Files Mini Filter Driver, Windows TCP/IP, Windows Win32K – GRFX, Windows Win32K – ICOMP, Microsoft Partner Center, Windows Kernel-Mode Drivers, Windows DWM Core Library, Windows Telephony Service, Windows LDAP – Lightweight Directory Access Protocol, Windows Projected File System, Windows Link-Layer Discovery Protocol (LLDP), Windows Print Spooler Components, Windows Application Identity (AppID) Subsystem, Windows Ancillary Function Driver for WinSock, Windows Storport Miniport Driver, Windows Storage Spaces Controller, Telnet Client, Azure Cloud Shell, Microsoft Edge for Android, Azure AI Foundry M365 published agents, Microsoft Office Click-To-Run, Windows Admin Center, Microsoft Office Word, Microsoft Office, Microsoft Office Excel, SQL Server, Power Automate, Windows Cryptographic Services, Azure Entra ID, Windows Volume Manager Extension Driver, Windows SMB Client, Microsoft Edge (Chromium-based), Dynamics Business Central, Windows Netlogon, Microsoft Data Formulator, Data Deduplication, Microsoft Windows DNS, Windows Secure Boot, Microsoft Office PowerPoint, Microsoft SSO Plugin for Jira & Confluence, Azure Notification Service, GitHub Copilot and Visual Studio, M365 Copilot for Desktop, Azure Logic Apps, Azure DevOps, Microsoft Dynamics 365 (on-premises), ASP.NET Core, and AMD CPU Branch.

The next Patch Tuesday is scheduled for June 9, and we will provide details and patch analysis then. Until next Patch Tuesday, stay safe and secure. Be sure to subscribe to the ‘This Month in Vulnerabilities and Patches’ webinar.’

Qualys Monthly Webinar Series

The Qualys Research team hosts a monthly webinar series to help our existing customers leverage the seamless integration between Qualys Vulnerability Management, Detection & Response (VMDR), and Qualys Patch Management. Combining these two solutions can reduce the median time to remediate critical vulnerabilities.

During the webcast, we will discuss this month’s high-impact vulnerabilities, including those highlighted in this month’s Patch Tuesday alert. We will walk you through the necessary steps to address the key vulnerabilities using Qualys VMDR and Qualys Patch Management.