Microsoft’s May 2026 Patch Tuesday is now live, delivering fixes for 120 vulnerabilities across its entire product portfolio — one of the heavier monthly releases of 2026 so far. Of these, 29 are rated Critical, all involving remote code execution (RCE). Crucially, Microsoft has confirmed that none of the addressed flaws were exploited in the wild or publicly disclosed before today’s release, giving defenders a short but valuable window to act.
Scale and Scope of the May Update
This cycle’s patches touch Windows core components, Microsoft Office, SharePoint Server, Azure services, Microsoft Dynamics 365, and developer tools including Visual Studio and .NET. The volume and breadth of fixes underscore just how expansive the modern Microsoft attack surface has become — spanning on-premises servers, hybrid identity infrastructure, cloud APIs, and end-user endpoints all at once.
Security operations teams should treat this release as a high-priority deployment event, not a routine maintenance cycle.
Top Critical RCE Vulnerabilities to Patch First
Among the 29 Critical RCE flaws, the following components represent the highest risk due to their exposure and exploitability:
- Microsoft SharePoint Server: A deserialization vulnerability allows an authenticated attacker with low-level site access to execute arbitrary code remotely — a dangerous combination in organizations running public-facing SharePoint portals.
- Microsoft Dynamics 365 (on-premises): An unauthenticated RCE flaw in the REST API surface could allow a remote attacker to compromise the application server without credentials in certain configurations.
- Microsoft Office and Word: Multiple memory corruption bugs can be triggered via crafted documents, and notably, some are exploitable through the Preview Pane — meaning no macro execution or active user interaction is required beyond opening a folder.
- Windows DNS Client: A heap overflow vulnerability in the DNS resolution stack that could potentially be triggered remotely, granting code execution in SYSTEM context on vulnerable Windows machines.
- Windows Netlogon: An RCE bug in the legacy Netlogon remote protocol affects Windows domain controllers, raising the risk of lateral movement from a compromised domain member to core Active Directory infrastructure.
- Native Wi-Fi Miniport Driver: An over-the-air code execution flaw targeting Windows devices with wireless networking capability. An attacker within radio range could exploit this without the device owner taking any action.
Privilege Escalation Flaws — Chaining Risk
This month’s release also addresses a significant number of elevation-of-privilege (EoP) vulnerabilities that are commonly chained with lower-severity initial-access bugs to achieve full system compromise:
- Windows Hyper-V: An EoP flaw enabling guest-to-host privilege escalation. In multi-tenant and private cloud environments, a successful exploit could allow an attacker in a guest VM to escape to the underlying hypervisor.
- Win32k and Windows GDI Graphics: Kernel-mode privilege escalation bugs in these graphics subsystems have historically featured in both APT toolkits and ransomware deployment chains.
- Cloud Files Mini Filter Driver and Volume Manager Extension Driver: Both components receive fixes for local EoP bugs that allow low-privileged users to escalate to SYSTEM — common stepping stones in post-exploitation sequences.
- Windows TCP/IP Stack: Multiple memory safety fixes reduce the risk of network-based exploitation paths.
Azure, Microsoft 365, and Cloud Components
Organizations operating in hybrid or cloud-first environments should review fixes affecting Azure Active Directory (Entra ID) connectors and several Microsoft 365 service components. While Microsoft has not classified these as Critical this cycle, vulnerabilities in identity infrastructure always warrant accelerated attention given the potential blast radius of a compromised identity provider.
Recommended Patching Priority for Enterprise Teams
With 120 fixes to triage, a structured prioritization approach is essential:
- Immediate (24–48 hours): Dynamics 365 on-premises, SharePoint Server, Windows DNS Client, Netlogon — all either internet-facing or core network infrastructure.
- High priority (within 7 days): Office/Word client-side RCE bugs, Win32k and GDI EoP flaws, Hyper-V guest-escape fix, Cloud Files Mini Filter and Volume Manager EoP patches.
- Standard window: Wi-Fi driver (lower exposure for most enterprise fleets unless endpoints are in high-risk physical environments), Azure and M365 connector fixes.
Conclusion
The May 2026 Patch Tuesday does not carry the urgency of an emergency out-of-band release — there are no confirmed zero-days in active exploitation — but its 29 Critical RCE flaws across broadly deployed services make it a release that demands prompt attention. Security teams should fast-track this deployment through their change management pipelines, beginning with internet-exposed and core infrastructure assets.