MAY 2026 Patch Tuesday saw Microsoft release updates addressing 137 vulnerabilities across Windows and many Microsoft products, with no zero-day vulnerabilities for this month. Of these, 30 are rated Critical, with Elevation of Privilege vulnerabilities again dominating the slate.
Highlights include CVE-2026-42826, a CVSS 10.0 Information Disclosure in Azure DevOps, and two 9.9-rated remote code execution flaws: CVE-2026-33109 in Azure Managed Instance for Apache Cassandra and CVE-2026-42898 in Dynamics 365 On-Premises. Other notable entries include CVE-2026-41096 (Windows DNS Client RCE) and CVE-2026-41089 (Netlogon RCE), both deemed highly significant for enterprise networking.
The article also notes several issues that require no customer action, alongside a range of further Critical and Exploitation More Likely vulnerabilities across Word, Office, and various Azure services. According to SOCRadar, organisations should prioritise patching domains controllers, DNS clients, and on‑prem Dynamics 365, while maintaining continuous exposure management to verify perimeters remain protected.