MICROSOFT’S May 2026 Patch Tuesday fixed 138 vulnerabilities across a broad swath of the Microsoft portfolio, including Windows and its components, Office, Edge, Azure, .NET, Visual Studio, SQL Server, the Copilot products, and even the Telnet client, which still required a patch in 2026. Of these, 30 bugs are rated Critical, with the remainder ranging from Important to Moderate and Low; none were publicly known or exploited in the wild at release time.
The fixes arrive just days before Pwn2Own Berlin, a timing that vendors say often accelerates release cycles to reduce exposure, and security researchers suggest AI may be influencing vulnerability research given the volume of submissions.
Notable CVEs addressed include CVE-2026-41089, a Windows Netlogon Remote Code Execution with a 9.8 CVSS score that is wormable, CVE-2026-42898 for Dynamics 365 On-Premises with a 9.9 CVSS score, and CVEs affecting the Windows DNS Client and Microsoft Word through the Preview Pane attack vector. Overall, authorities emphasise patching these high‑impact flaws promptly while applying the rest through normal update cycles, according to SecurityAffairs.