Threat Advisories:
Mini Shai-Hulud npm Supply Chain Worm: TanStack and Multi-Ecosystem Compromise Malicious Ruby Gems Fuel GemStuffer Data Theft Campaign Microsoft’s May 2026 Patch Tuesday PCPJack Hijacks Vulnerable Servers With Worm-Like Cloud Propagation Tactics QLNX Unmasked: Advanced Linux Malware Targets Developers and Cloud Infrastructure Dirty Frag A 2017 Optimization That Aged Into a Root Exploit TCLBanker: Trojanized Logitech Installer Fuels Banking Malware Campaign Ivanti EPMM Flaws Threaten Enterprise Device Management Systems Is Your Spring Config Server an Open Door? CVE-2026-40982 Says Yes PAN-OS Buffer Overflow Flaw Under Active State-Sponsored Exploitation Unauthenticated RCE in Weaver E-cology Actively Exploited Tax Trap to Full Takeover: Inside the Silver Fox Multi-Stage Intrusion Chain One Script, Every Distro, Full Root: Copy Fail Vulnerability Rewriting Linux Threat Models CVE-2026-42208: The LiteLLM Flaw Letting Attackers Reach Deep Inside VECT Ransomware: Flawed Encryption Turns RaaS Locker into Irreversible File Wiper Operation TrustTrap: APT36 Weaponizes 16,800 Spoofed Domains Patched but Not Cured: FIRESTARTER Backdoor Survives Cisco Firewall Upgrades The Gentlemen Ransomware: A Rapidly Scaling RaaS Threat Tropic Trooper Shifts Tradecraft to Open-Source Offensive Frameworks UNC6692 Social Engineering Campaign Deploying SNOW Malware Suite
New Report Critical Threat Research : The Iranian Cyber War Intensifies! Download the Report
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s ComparisonSave Cost , Reduce Complexity and Increase Security by Augmenting and Replacing your existing Vulnerability Management platform
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Learning Center
Podcasts
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoFree Iranian Exposure Assessment
Platform
Platform
Comprehensive Threat Exposure Management Platform
Uni5 Xposure PlatformUni5 Xposure leverages exposure assessment and adversarial exposure validation to deliver a unified view of your cyber risks and all actionable pathways to resolve them. Powered by:
IntegrationsOut of box integrations available with a comprehensive set of Security and IT operations tools in your organisation.
HiveForce LabsThe in-house intelligence that enables customers to identify and address immediate cyber risks and potential threats with precision, clear insights, and swift action.
Hive Pro’s Comparison
Hive Pro vs Rapid7
Hive Pro vs Tenable
Hive Pro vs Qualys
Hive Pro vs Nucleus Security
Solutions
Solutions
By Use Case
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
By Role
CISO
Vulnerability Management
Security Operations
DevOps
Industry
Industry
Telecommunications
Healthcare
Financial Services
Government & Public Sector
Retail & E-Commerce
Educational Institutions
Resources
Resources
Learning Center
Podcasts
Threat Advisories
Threat Digests
Blog
Whitepapers
Resources
Resources
Advisories & Digests
Threat Advisories
Threat Digests
Content Library
learn
Blog
Whitepapers
Press Releases
connect
Webinars & Videos
Company
Company
About Us
Careers
Our Leadership
Contact Us
Book a DemoFree Iranian Exposure Assessment

Microsoft’s May 2026 Patch Tuesday

Red | Vulnerability Report
Download PDF

Summary

Microsoft’s May 2026 Patch Tuesday security update addresses 137 critical vulnerabilities across the Microsoft product ecosystem, representing a significant security update for enterprise and consumer environments. First observed on May 12, 2026, these Microsoft vulnerabilities impact multiple platforms including Microsoft SQL Server, Windows Kernel, Windows Hyper-V, Microsoft Office, Microsoft SharePoint, and Google Chromium-based products. The vulnerability impact spans Information Disclosure, Denial of Service, Remote Code Execution, Elevation of Privilege, Security Feature Bypass, Spoofing, and Tampering vulnerabilities.

The Microsoft May 2026 Patch Tuesday vulnerability distribution includes 30 vulnerabilities rated Critical, 103 vulnerabilities rated Important, and 4 vulnerabilities rated Moderate. Elevation of Privilege vulnerabilities dominate this release, accounting for 62 vulnerabilities, followed by 31 Remote Code Execution vulnerabilities, 15 Information Disclosure vulnerabilities, 13 Spoofing vulnerabilities, 8 Denial of Service vulnerabilities, 6 Security Feature Bypass vulnerabilities, and 2 Tampering vulnerabilities. Microsoft also resolved 128 non-Microsoft vulnerabilities, including Chromium-based Edge vulnerabilities, bringing the total Microsoft Patch Tuesday vulnerability count to 265.

Notably, Microsoft’s May 2026 Patch Tuesday marks the first zero-day-free Patch Tuesday since June 2024, breaking a 22-month streak of monthly security updates containing actively exploited zero-day vulnerabilities. Despite the absence of zero-day vulnerabilities, 16 Microsoft CVEs are assessed as at increased risk of exploitation, underscoring the urgency of deploying these Microsoft security patches promptly across enterprise environments.

Vulnerability Details

Microsoft Patch Tuesday Overview and Vulnerability Distribution

Microsoft’s May 2026 Patch Tuesday delivers a comprehensive security update addressing 137 Microsoft vulnerabilities across the product ecosystem. Elevation of Privilege vulnerabilities alone account for over 50 percent of this month’s Microsoft patches, reflecting continued attacker focus on post-compromise privilege escalation techniques in Windows environments. The vulnerability severity breakdown shows 30 Critical Microsoft vulnerabilities, 103 Important Microsoft vulnerabilities, and 4 Moderate Microsoft vulnerabilities requiring immediate attention from security teams.

The Microsoft vulnerability types span multiple impact categories throughout the May 2026 Patch Tuesday release. Microsoft patched 62 Elevation of Privilege vulnerabilities, 31 Remote Code Execution vulnerabilities, 15 Information Disclosure vulnerabilities, 13 Spoofing vulnerabilities, 8 Denial of Service vulnerabilities, 6 Security Feature Bypass vulnerabilities, and 2 Tampering vulnerabilities. Microsoft also resolved 128 non-Microsoft vulnerabilities including Chromium-based Edge vulnerabilities, bringing the total Microsoft May 2026 Patch Tuesday vulnerability count to 265 security issues.

Critical Infrastructure Vulnerabilities Requiring Immediate Patching

The most critical Microsoft infrastructure vulnerability in the May 2026 Patch Tuesday is CVE-2026-41089, a stack-based buffer overflow vulnerability in Windows Netlogon with a CVSS score of 9.8. This Windows Netlogon vulnerability allows an unauthenticated attacker to execute code on a domain controller by sending a specially crafted network request. No privileges or user interaction are required for exploiting this Windows Netlogon vulnerability, and attack complexity is low. A compromised domain controller through this Microsoft vulnerability effectively means a compromised domain, making CVE-2026-41089 the top remediation priority for Microsoft environments.

CVE-2026-41103 represents an Elevation of Privilege vulnerability in the Microsoft SSO Plugin for Jira and Confluence with a CVSS score of 9.1. This Microsoft SSO vulnerability allows an unauthenticated attacker to send a specially crafted SSO response during login and trick the system into accepting a forged identity, bypassing Microsoft Entra ID authentication entirely. This Microsoft vulnerability is particularly dangerous for organizations with Atlassian-integrated environments where Microsoft SSO authentication is deployed.

CVE-2026-40402 is a use-after-free vulnerability in Windows Hyper-V with a CVSS score of 9.3, enabling a guest-to-host escape that allows an attacker to gain SYSTEM privileges on the Hyper-V host. This Windows Hyper-V vulnerability makes it critical for multi-tenant and private cloud environments where a single boundary failure through this Microsoft vulnerability can compromise multiple workloads across virtualized infrastructure.

Microsoft Office and Document-Based Attack Vulnerabilities

Two Critical Remote Code Execution vulnerabilities in Microsoft Word, CVE-2026-40361 and CVE-2026-40364, can be triggered via the Microsoft Office Preview Pane without opening malicious documents. These Microsoft Word vulnerabilities continue a dangerous document-driven attack pattern from previous months, making Microsoft Office endpoint patching an urgent priority. Organizations where employees regularly receive external attachments face significant risk from these Microsoft Word remote code execution vulnerabilities.

CVE-2026-35435 is an Elevation of Privilege vulnerability in Azure AI Foundry M365 published agents, stemming from improper access control in Microsoft cloud services. This Microsoft Azure vulnerability could allow an unauthenticated attacker to elevate privileges over a network, highlighting the expanding AI-connected enterprise attack surface in Microsoft environments. Microsoft has noted that no customer action is required as this Microsoft vulnerability was mitigated server-side.

Windows Kernel and System Component Elevation of Privilege Vulnerabilities

The Elevation of Privilege vulnerabilities dominating Microsoft’s May 2026 Patch Tuesday target deeply trusted Windows components across the operating system. CVE-2026-33841 and CVE-2026-40369 affect the Windows Kernel and could allow a local attacker to elevate to SYSTEM level, bringing the total Windows Kernel Elevation of Privilege vulnerabilities patched by Microsoft in 2026 to 13. CVE-2026-33837 is a heap-based buffer overflow in Windows TCP/IP (tcpip.sys) enabling local privilege escalation on Windows systems.

Additional Microsoft Elevation of Privilege vulnerabilities targeting critical kernel-adjacent components include CVE-2026-33835 affecting Windows Cloud Files Mini Filter Driver, CVE-2026-33840 affecting Win32k ICOMP, CVE-2026-35416 affecting Windows Ancillary Function Driver for WinSock, CVE-2026-35417 affecting Windows Win32k, CVE-2026-35420 affecting Windows Kernel, CVE-2026-40397 affecting Windows Common Log File System Driver, and CVE-2026-40398 affecting Windows Remote Desktop Services. All of these Microsoft vulnerabilities enable SYSTEM-level privilege escalation on compromised Windows systems.

The Windows Common Log File System driver vulnerability CVE-2026-40397 has a long history of weaponization in real-world attack chains, making this Microsoft vulnerability a priority despite its Important rating rather than Critical. Organizations should prioritize patching domain controllers for the Windows Netlogon vulnerability, Hyper-V hosts for the virtualization vulnerability, Microsoft Office endpoints for document-based attacks, and Windows systems running the CLFS driver, Win32k, TCP/IP, and WinSock components.

Secure Boot Certificate Expiration Deadline and Final Deployment Window

Environments using the Microsoft SSO Plugin for Jira and Confluence should treat CVE-2026-41103 as an emergency deployment due to the authentication bypass risk. With the Secure Boot certificate expiration deadline on June 26, 2026 now just 45 days away, Microsoft’s May 2026 Patch Tuesday represents the final comfortable deployment window before that critical milestone. Organizations should validate Secure Boot certificate status across their Microsoft fleet without delay to ensure business continuity.

Recommendations

Conduct Extensive Service Exposure Evaluation and Vulnerability Assessment

Conduct an extensive service exposure evaluation to identify any Microsoft vulnerable services that may be publicly accessible across your organization. Take immediate and decisive action to address any identified Microsoft vulnerabilities, either by installing essential Microsoft security patches or adopting compensating security measures. Organizations should inventory all internet-facing Microsoft services and prioritize patching based on vulnerability severity and exploitation risk.

Keep Microsoft Systems Current With Latest Security Updates

Keep your Microsoft systems up to date by implementing the most recent Microsoft security updates from the May 2026 Patch Tuesday release. To avoid the introduction of new Microsoft vulnerabilities, follow security rules adapted to unique devices throughout your environment. Furthermore, to strengthen the resilience of Microsoft devices and applications exposed to the internet, thoroughly review their configurations against Microsoft security baselines.

Prioritize Critical Microsoft Vulnerability Patching Urgently

Prioritize patching the high-severity Microsoft vulnerabilities CVE-2026-41103, CVE-2026-41089, CVE-2026-40402, CVE-2026-40361 and CVE-2026-40364 from the May 2026 Patch Tuesday. These Microsoft vulnerabilities pose significant exploitation risks and should be addressed urgently across all affected Microsoft systems. Security teams should establish accelerated patching timelines for these critical Microsoft vulnerabilities to minimize organizational risk exposure.

Implement Network Segmentation for Microsoft Environments

Implement network segmentation to restrict unauthorized access and reduce the impact of potential attacks exploiting Microsoft vulnerabilities. This Microsoft security measure can be especially effective in scenarios where network adjacency is a factor in lateral movement across Windows environments. Network segmentation limits the blast radius of successful exploitation of Microsoft vulnerabilities.

Apply Least Privilege Principle Across Microsoft Infrastructure

Adhere to the principle of least privilege by giving Microsoft users only the essential permissions they need for their tasks. This Microsoft security strategy reduces the effects of Microsoft vulnerabilities related to privilege escalation across Windows, Office, and Azure environments. Organizations should regularly audit Microsoft user permissions and remove excessive privileges that could be abused following successful exploitation of Microsoft elevation of privilege vulnerabilities.

MITRE ATT&CK TTPs

Initial Access: T1190 (Exploit Public-Facing Application), T1189 (Drive-by Compromise), T1566.001 (Spearphishing Attachment), T1566.002 (Spearphishing Link)

Execution: T1203 (Exploitation for Client Execution), T1059.001 (PowerShell), T1204.001 (Malicious Link), T1204.002 (Malicious File)

Defense Evasion: T1562.001 (Disable or Modify Tools), T1553.006 (Code Signing Policy Modification)

Privilege Escalation: T1611 (Escape to Host), T1068 (Exploitation for Privilege Escalation), T1542.003 (Bootkit)

Credential Access: T1552 (Unsecured Credentials), T1556 (Modify Authentication Process)

Lateral Movement: T1021.001 (Remote Desktop Protocol), T1210 (Exploitation of Remote Services)

Impact: T1499 (Endpoint Denial of Service)

References

Microsoft Security Response Center – May 2026 Update Guide Release Note

What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox