MAY 2026 Patch Tuesday remedies 137 security vulnerabilities, including 31 marked critical by Microsoft, with no zero-days actively exploited in the wild. According to Microsoft, a zero-day is a flaw for which no official patch or security update is available yet, and this month no included vulnerability was observed being exploited in production environments.
Still, the release is high risk, as a large chunk of the critical bugs allow remote code execution across Windows services, Office, Azure, SharePoint and graphics components, meaning an attacker could gain full control of a system by luring a user to open a malicious document or connect to a malicious service.
From the list, Malwarebytes highlights two vulnerabilities to prioritise: CVE-2026-40361, a critical use-after-free in Microsoft Word with a CVSS score of 8.4, and CVE-2026-35421, a critical heap-based buffer overflow in Windows GDI with a CVSS score of 7.8; Microsoft notes that the latter requires opening or processing a specially crafted EMF file via Microsoft Paint to trigger the flaw. The article also provides steps to apply fixes, including checking Windows Update and restarting when prompted, to ensure systems are up to date.