Microsoft’s May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)
- 16Critical
- 102Important
- 0Moderate
- 0Low
Microsoft addresses 118 CVEs in its May 2026 Patch Tuesday release, with no zero-days exploited in the wild or publicly disclosed for the first time since June 2024.
Microsoft patched 118 CVEs in its May 2026 Patch Tuesday release, with 16 rated critical and 102 rated as important. Our counts omitted CVE-2025-54518, an AMD CPU OP Cache Corruption vulnerability issued by AMD.
This month’s update includes patches for:
- .NET
- ASP.NET Core
- Azure AI Foundry M365 published agents
- Azure Cloud Shell
- Azure Connected Machine Agent
- Azure DevOps
- Azure Entra ID
- Azure Logic Apps
- Azure Machine Learning
- Azure Managed Instance for Apache Cassandra
- Azure Monitor Agent
- Azure Notification Service
- Azure SDK
- Copilot Chat (Microsoft Edge)
- Data Deduplication
- Dynamics Business Central
- GitHub Copilot and Visual Studio
- M365 Copilot
- M365 Copilot for Desktop
- Microsoft Data Formulator
- Microsoft Dynamics 365 (on-premises)
- Microsoft Dynamics 365 Customer Insights
- Microsoft Edge (Chromium-based)
- Microsoft Edge for Android
- Microsoft Office
- Microsoft Office Click-To-Run
- Microsoft Office Excel
- Microsoft Office PowerPoint
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft Partner Center
- Microsoft SSO Plugin for Jira & Confluence
- Microsoft Teams
- Microsoft Windows DNS
- Power Automate
- SQL Server
- Telnet Client
- Visual Studio Code
- Windows Admin Center
- Windows Ancillary Function Driver for WinSock
- Windows Application Identity (AppID) Subsystem
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Cryptographic Services
- Windows DWM Core Library
- Windows Event Logging Service
- Windows Filtering Platform (WFP)
- Windows GDI
- Windows Hyper-V
- Windows Internet Key Exchange (IKE) Protocol
- Windows Kernel
- Windows Kernel-Mode Drivers
- Windows LDAP - Lightweight Directory Access Protocol
- Windows Link-Layer Discovery Protocol (LLDP)
- Windows Message Queuing
- Windows Native WiFi Miniport Driver
- Windows Netlogon
- Windows Print Spooler Components
- Windows Projected File System
- Windows Remote Desktop
- Windows Rich Text Edit
- Windows Rich Text Edit Control
- Windows SMB Client
- Windows Secure Boot
- Windows Storage Spaces Controller
- Windows Storport Miniport Driver
- Windows TCP/IP
- Windows Telephony Service
- Windows Volume Manager Extension Driver
- Windows Win32K - GRFX
- Windows Win32K - ICOMP
Elevation of Privilege (EoP) vulnerabilities accounted for 48.3% of the vulnerabilities patched this month, followed by remote code execution (RCE) vulnerabilities at 24.6%.
CVE-2026-41103 | Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability
CVE-2026-41103 is an elevation of privilege vulnerability affecting Microsoft Single-Sign-On (SSO) Plugin for Jira & Confluence. It was assigned a CVSSv3 score of 9.1 and is rated as critical. It was assessed as "Exploitation More Likely" according to Microsoft's Exploitability Index. An unauthorized attacker could exploit this vulnerability during the process of logging in by sending a specially crafted response message. Successful exploitation would allow the attacker to sign-in using a forged identity without Microsoft Entra ID authentication, enabling access to or allowing an attacker to modify data in Jira and Confluence. However, the accessible information is not unfettered, as it is limited by the access defined by the targeted servers for the authorized user.
CVE-2026-33841, CVE-2026-35420, CVE-2026-40369 | Windows Kernel Elevation of Privilege Vulnerabilities
CVE-2026-33841, CVE-2026-35420 and CVE-2026-40369 are EoP vulnerabilities affecting the Windows Kernel. Each of the flaws have been assigned CVSSv3 scores of 7.8 and rated as important. Both CVE-2026-33841 and CVE-2026-40369 were assessed as "Exploitation More Likely," which could be abused by a local attacker to elevate to SYSTEM or Medium/High integrity level in the case of CVE-2026-33841. Including these three EoPs, there have been 13 disclosed Windows Kernel EoP vulnerabilities addressed so far in 2026.
CVE-2026-40361, CVE-2026-40364, CVE-2026-40366 and CVE-2026-40367 | Microsoft Word Remote Code Execution Vulnerabilities
CVE-2026-40361, CVE-2026-40364, CVE-2026-40366 and CVE-2026-40367 RCE vulnerabilities affecting Microsoft Word. Each of these RCEs were assigned CVSSv3 scores of 8.4 and rated as critical, though CVE-2026-40361 and CVE-2026-40364 were the only ones assessed to be “Exploitation More Likely.” An attacker could exploit these flaws through social engineering by sending the malicious file to an intended target. Successful exploitation would grant code execution privileges to the attacker. Additionally, Microsoft notes that the Preview Pane is an attack vector for each of these vulnerabilities.
CVE-2026-41089 | Windows Netlogon Remote Code Execution Vulnerability
CVE-2026-41089 is a RCE vulnerability affecting Windows Netlogon, a Windows Server process used for authentication within a domain. It was assigned a CVSSv3 score of 9.8 and rated as critical. A remote, unauthenticated attacker could exploit this flaw by sending a crafted network request to a Windows server running as a domain controller. This packet could exploit a stack-based buffer overflow flaw, allowing the attacker to execute code on an affected system. Despite the critical severity and near perfect CVSSv3 score, this flaw was assessed by Microsoft as “Exploitation Less Likely.”
Tenable Solutions
A list of all the plugins released for Microsoft’s May 2026 Patch Tuesday update can be found here. As always, we recommend patching systems as soon as possible and regularly scanning your environment to identify those systems yet to be patched.
For more specific guidance on best practices for vulnerability assessments, please refer to our blog post on How to Perform Efficient Vulnerability Assessments with Tenable.
Get more information
- Microsoft's May 2026 Security Updates
- Tenable plugins for Microsoft May 2026 Patch Tuesday Security Updates
Join Tenable's Research Special Operations (RSO) Team on Tenable Connect for further discussions on the latest cyber threats.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Learn more
Learn more
Related articles
- Exposure Management
- Vulnerability Management
Tenable One
Request a demo
The world’s leading AI-powered exposure management platform.
Thank You
Thank you for your interest in Tenable One.
A representative will be in touch soon.
Form ID: 7469
Form Name: one-eval
Form Class: c-form form-panel__global-form c-form--mkto js-mkto-no-css js-form-hanging-label c-form--hide-comments
Form Wrapper ID: one-eval-form-wrapper
Confirmation Class: one-eval-confirmform-modal
Simulate Success