It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityLatAm Vibe Hackers Generate Custom Hacking Tools on the FlyLatAm Vibe Hackers Generate Custom Hacking Tools on the FlybyAlexander CulafiMay 13, 20265 Min ReadApplication SecurityIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightbyJai VijayanMay 12, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryApplication SecurityVulnerabilities & ThreatsThreat IntelligenceNewsIt's Patch Tuesday for Microsoft & Not a Zero-Day In SightIt's the first time in two years with no zero-days. But with 137 flaws to patch, including nine critical ones, admins still have plenty of work to do.Jai Vijayan,Contributing WriterMay 12, 20265 Min ReadSource: Andrii Yalanskyi via ShutterstockFor the first time in nearly two years, Microsoft's monthly security update featured no actively exploited zero-day vulnerabilities or previously disclosed flaws.But that welcome reprieve aside, Microsoft's May 2026 update contained fixes for 137 CVEs, 13 of which Microsoft considers as likely candidates for exploitation and nine of which the company rated as critical. These include two in Microsoft Office Word, where the Preview Pane is an attack vector, plus five others with near-maximum severity scores of 9.8 or 9.9 on the 10-point CVSS scale.500 CVEs in 2026 & CountingThis is the third month this year where Microsoft has disclosed more than 100 CVEs in a Patch Tuesday update. Through May, the company had already patched over 500 CVEs, which puts it on pace to surpass the annual record of 1,245 bugs Microsoft disclosed in 2020, said Satnam Naranag, senior staff research engineer at Tenable.Related:Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply ChainAccording to Tom Gallagher, Microsoft's vice president of engineering, large releases could soon be the norm, with AI helping researchers uncover more vulnerabilities than before. "This month's release sits on the larger side of a hotpatch month, and we expect releases to continue trending larger for some time," Gallagher said in a blog post. "Advanced AI models are part of the discovery picture and help to accelerate it. They enable us to reason about code paths and configurations at a speed and consistency that would not be possible through manual review alone."The two Microsoft Office Word vulnerabilities in Microsoft's latest update with the preview pane attack vector are CVE-2026-40361 (CVSS 8.4) and CVE-2026-40364 (CVSS 8.4). The former is a memory-related vulnerability that allows a remote attacker to execute code locally on vulnerable systems. CVE-2026-40464 too is a remote code execution (RCE) bug stemming from a type-confusion issue. Neither vulnerability requires any user interaction. An attacker can trigger the flaws by simply sending a maliciously crafted document. "Outlook's reading pane has long been a common attack vector; a single incoming email can trigger exploitation without the user ever opening it," warned Amol Sarwate, head of security research at Cohesity, in a statement.Nine Near-Max Severity Vulnerabilities Among the nine vulnerabilities in the May update with a severity score of 9.0 or greater — a rarity in recent Microsoft Patch Tuesday releases — are three with a near maximum rating of 9.9 out of 10 on the CVSS scale: CVE-2026-42898, CVE-2026-42823, and CVE-2026-33109.Related:'TrustFall' Convention Exposes Claude Code Execution RiskOf these, CVE-2026-42898, an RCE in Microsoft Dynamics 365 On-premises, is the most pressing. The code-injection flaw enables an authenticated remote attacker to execute arbitrary code. Though an attacker does not require admin or other elevated privileges to exploit the attack, Microsoft itself has categorized the flaw as one attackers are unlikely to exploit.But Jack Bicer, director of vulnerability research at Action1, recommended organizations patch it immediately anyway. "With no user interaction required, and the potential to impact systems beyond the vulnerable component's original security scope, this vulnerability poses serious enterprise risk," he said in emailed comments. An attacker who successfully exploits the vulnerability can access customer records, operational workflows, financial information, and integrated business systems, he explained. "Since CRM environments often connect with identity services, databases, and enterprise applications, successful exploitation could lead to broader organizational compromise and operational disruption."The other two bugs with a 9.9 severity score affect Azure. CVE-2026-42823 is an elevation-of-privilege vulnerability in Azure Logic Apps. According to Microsoft, the company will notify organizations via Azure Service Health notification if they are impacted by the flaw and provide specific mitigation advice. CVE-2026-33109 is an RCE that affects Azure Managed Instance for Apache Cassandra. Users don't have to do anything to address the flaw because Microsoft has already mitigated it fully. "There is no action for users of this service to take. The purpose of this CVE is to provide further transparency," Microsoft said.Related:Reverse Engineering With AI Unearths High-Severity GitHub BugSevere Netlogon Bug Needs Priority PatchingJason Kikta, security researcher at Automox, highlighted CVE-2026-41089, an RCE in Windows Netlogon, as another flaw that organizations should prioritize. "An attacker sends a crafted network request to a domain controller. No authentication required. No user interaction required. If you've been doing this long enough, the description language sounds sadly familiar," Kitka said in prepared comments. Organizations, he advised, should keep an eye out for unexpected crashes or service restarts on the Netlogon service across their domain controllers. They should also be monitoring for anomalous Netlogon traffic patterns from non-domain controller source addresses, particularly malformed requests, authentication failures, or domain trust errors immediately after suspicious network activity hitting a domain controller.A total of seven CVEs affecting Copilot and Azure AI Foundry highlighted the growing exposure that organizations face from AI tools, added Tyler Reguly, associate director of security R&D at Fortra. "Are we aware of all our uses of AI?" Reguly asked in an emailed statement, adding that 6% of the CVEs this month were AI-based. "We know that number is only going to grow from here," he noted. "What other instances of AI might be in use in your organization that are not backed by a company with a regular update schedule like Microsoft?"Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!About the AuthorJai VijayanContributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Microsoft’s monthly security update, Patch Tuesday, indicated that for the first time in nearly two years, there were no actively exploited zero-day vulnerabilities present, although the update addressed a substantial number of flaws. Microsoft’s May 2026 release contained fixes for 137 Common Vulnerabilities and Exposures (CVEs), including nine deemed critical, which still required significant attention from administrators. This month alone saw the disclosure of over 500 CVEs through May, positioning the company on track to surpass the annual bug disclosure record set in 2020.

Among the numerous fixes, specific attention was drawn to vulnerabilities in Microsoft Office Word related to the Preview Pane, which presented an attack vector. These included CVE-2026-40361 and CVE-2026-40364, both categorized with a CVSS score of 8.4, concerning memory-related execution and remote code execution, respectively. Security experts noted that the Outlook reading pane has historically been a common attack vector, as a single incoming email can trigger exploitation without user interaction.

The severity of the flaws was highlighted by the presence of nine vulnerabilities with a severity score of 9.0 or greater in the May update. Three of these specific flaws—CVE-2026-42898, CVE-2026-42823, and CVE-2026-33109—received a near-maximum rating of 9.9 out of 10 on the CVSS scale. CVE-2026-42898, an RCE flaw in Microsoft Dynamics 365 On-premises, was identified as the most pressing concern. Although Microsoft suggested that attackers were unlikely to exploit this vulnerability, security researchers emphasized the serious enterprise risk, noting that it allows an authenticated remote attacker to execute arbitrary code without requiring elevated privileges. Successful exploitation could lead to the compromise of customer records, operational workflows, and integrated business systems by affecting CRM environments linked to identity services and databases.

The remaining high-severity flaws impacted Azure environments, specifically CVE-2026-42823, an elevation-of-privilege vulnerability in Azure Logic Apps, and CVE-2026-33109, an RCE affecting Azure Managed Instance for Apache Cassandra. Microsoft indicated that mitigation for the latter was already fully applied, with no action required from service users, focusing instead on transparency. Furthermore, security researchers pointed out other critical flaws, such as CVE-2026-41089 in Windows Netlogon, which allows for remote code execution via crafted network requests to a domain controller without requiring authentication or user interaction.

The context of the findings also suggests an increasing exposure related to artificial intelligence in cybersecurity. A total of seven CVEs affecting Copilot and Azure AI Foundry were reported, underscoring the growing risks associated with AI tools. Research indicated that six percent of the vulnerabilities disclosed that month were AI-based, and experts anticipate this proportion will continue to grow as AI accelerates vulnerability discovery. Microsoft’s vice president of engineering suggested that large releases, aided by advanced AI models, are likely to become the norm for future releases due to the enhanced speed and consistency AI offers in reasoning about code paths.