IT'S Patch Tuesday for Microsoft and Not a Zero-Day In Sight, with this being the first update in nearly two years that includes no actively exploited zero-days. Microsoft’s May 2026 update fixes 137 CVEs, 13 of which are likely candidates for exploitation and nine rated as critical, including two in Microsoft Office Word where the Preview Pane is an attack vector.
Among the near-maximal 9.0+ CVSS vulnerabilities are CVE-2026-42898 in Dynamics 365 On-premises, CVE-2026-42823 in Azure Logic Apps, and CVE-2026-33109 affecting Azure Managed Instance for Apache Cassandra. The update also highlights eight or more high-severity flaws, with two Word flaws (CVE-2026-40361 and CVE-2026-40364) described as memory-related or remote code execution issues.
A total of over 500 CVEs had been patched in 2026 by May, placing Microsoft on track to surpass the 2020 annual record of 1,245 disclosed bugs, according to Satnam Naranag of Tenable, with Tom Gallagher, Microsoft's vice president of engineering, noting that large releases could become the norm as AI accelerates vulnerability discovery. For other notable issues, CVE-2026-41089 in Windows Netlogon and several AI-related CVEs further illustrate the evolving risk landscape.