Patch Tuesday: No zero days among 137 Microsoft CVEs, 4 Word RCEs

Microsoft’s Patch Tuesday security updates for May 2026 included 137 CVEs, with 14 having critical CVSS base scores and 13 being marked as more likely to be exploited.

The May 12, 2026, CVE list included no zero days for the first time since June 2024. While overall CVE volume was down from April 2026’s 169 — the second highest volume in Patch Tuesday history — this update was still the second largest since October 2025’s record-breaking 180 CVEs.

“Every release since July 2024 has included at least one zero-day either exploited or publicly disclosed, averaging 3.5 per month across a 22-month streak,” noted Satnam Narang, senior staff research engineer at Tenable, in an email to SC Media. “Five months into 2026, Microsoft has already patched over 500 CVEs, putting it on pace to surpass 2020’s record of 1,245 for a single calendar year.”

Among the patched flaws were four remote code execution (RCE) vulnerabilities in Microsoft Word, with two noted as more likely to be exploited. All four flaws have a CVSS base score of 8.4 and are considered to be of critical severity by Microsoft.

“The other common thread across these vulnerabilities is that a target doesn’t need to even open the document to trigger the exploit. Exploitation is possible just by viewing a malicious document in the Preview Pane,” Narang noted.

The Word flaws tracked as CVE-2026-40361 and CVE-2026-40364 are considered more likely to be exploited while CVE-2026-40366 is less likely to be exploited and CVE-2026-40367 is unlikely to be exploited, according to Microsoft.

The Patch Tuesday update also includes a CVSS 9.9 RCE vulnerability in Microsoft Dynamics 365 on-premises, tracked as CVE-2026-42898, that could allow an authorized attacker to execute code over a network due to improper control of generation of code.

“This vulnerability demands immediate attention because it combines a Critical severity rating, network-based exploitation, no user interaction requirements, and high impact across confidentiality, integrity and availability. Even though exploitation is currently assessed as unlikely, the low privilege requirement significantly lowers the barrier for attackers who already possess valid credentials,” Jack Bicer, director of vulnerability research at Action1, noted in an email to SC Media.

A critical CVSS 9.1 privilege elevation flaw in the Microsoft SSO Plugin for Jira & Confluence, tracked as CVE-2026-41103, is the only flaw with a CVSS score of 9 or higher marked as “exploitation more likely.”

“An unauthenticated attacker could send a specially crafted SSO response during login and trick the system into accepting a forged identity, allowing unauthorized access without proper Microsoft Entra ID authentication,” explained Action1 President and Co-founder Mike Walters in an email.

Other notable flaws include a stack-based buffer overflow RCE flaw in Windows Netlogon, tracked as CVE-2026-41089, and a heap-based buffer overflow RCE in the Windows DNS Client, tracked as CVE-2026-41096, both with a CVSS score of 9.8.

“The Netlogon flaw and this DNS client flaw are the two at the top of my list this month. Neither needs internet reachability to matter. Once an attacker is inside your perimeter, a bug like this turns initial access into lateral movement and privilege escalation in the same afternoon,” Automox CTO Jason Kikta said in a statement provided to SC Media.

Microsoft also republished 128 non-Microsoft CVEs, 127 in Chrome and one in AMD Zen 2-based processors.

SAP disclosed 15 new vulnerabilities for its May 2026 Patch Day, including two critical-severity CVEs. One is an SQL injection flaw in SAP S/4HANA (SAP Enterprise Search for ABAP) tracked as CVE-2026-34260 and the other is missing authentication check in SAP Commerce cloud, tracked as CVE-2026-34263. Both have a CVSS score of 9.6.

Adobe fixed 32 vulnerabilities across 10 products on May 12, the most severe being two critical flaws in Adobe Connect.