By Jaeson Schultz
Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 31 that Microsoft marked as “critical”.
In this month's release, Microsoft has not observed any of the included vulnerabilities being actively exploited in the wild. Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.
CVE-2026-32161 is a critical use after free vulnerability. Concurrent execution using a shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.
CVE-2026-33109 is a critical access control vulnerability in Azure Managed Instance for Apache Cassandra. Improper access control allows an authorized attacker to execute code over a network.
CVE-2026-33844 is a critical input validation vulnerability in Azure Managed Instance for Apache Cassandra. Improper input validation allows an authorized attacker to execute code over a network.
CVE-2026-35421 is a critical heap-based buffer overflow vulnerability in Windows GDI that allows an unauthorized attacker to execute code locally. For this vulnerability to be exploited, a user would need to open or otherwise process a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint. This action is necessary to trigger the affected graphics functionality in the Windows component.
CVE-2026-40358 is a critical use after free vulnerability in Microsoft Office which allows an unauthorized attacker to execute code locally.
CVE-2026-40361 is a critical use after free vulnerability in Microsoft Word that allows an unauthorized attacker to execute code locally.
CVE-2026-40363 is a critical heap-based buffer overflow in Microsoft Office which allows an unauthorized attacker to execute code locally.
CVE-2026-40364 is a critical heap-based buffer overflow vulnerability. Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.
CVE-2026-40365 is a critical vulnerability affecting Microsoft SharePoint. Insufficient granularity of access control allows an authorized attacker to execute code over a network. In a network-based attack, an authenticated attacker, as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server.
CVE-2026-40366 is a critical use after free vulnerability in Microsoft Word which allows an unauthorized attacker to execute code locally.
CVE-2026-40367 is a critical vulnerability affecting Microsoft Word. An untrusted pointer dereference may allow an unauthorized attacker to execute code locally.
CVE-2026-40403 is a critical heap-based buffer overflow vulnerability in Windows Win32K – GRFX that allows an authorized attacker to execute code locally. This vulnerability could lead to a contained execution environment escape. In the case of a Remote Desktop connection, an attacker with control of a Remote Desktop Server could trigger a remote code execution (RCE) on the machine when a victim connects to the attacking server with a vulnerable Remote Desktop Client.
CVE-2026-41089 is a critical stack-based buffer overflow in Windows Netlogon that allows an unauthorized attacker to execute code over a network. An attacker could send a specially crafted network request to a Windows server that is acting as a domain controller. If successful, this could cause the Netlogon service to improperly handle the request, potentially allowing the attacker to run code on the affected system without needing to sign in or have prior access.
CVE-2026-41096 is a critical heap-based overflow vulnerability in Windows DNS Client. An attacker could exploit this vulnerability by sending a specially crafted DNS response to a vulnerable Windows system, causing the DNS Client to incorrectly process the response and corrupt memory. In certain configurations, this could allow the attacker to run code remotely on the affected system without authentication.
CVE-2026-42831 is a critical heap-based buffer overflow vulnerability in Office for Android that allows an unauthorized attacker to execute code locally. An attacker must send a user a malicious Office file and convince them to open it.
CVE-2026-42898 is a critical code injection vulnerability in Microsoft Dynamics 365 (on-premises). Improper control of generation of code ('code injection') allows an authorized attacker to execute code over a network. An attacker with the required permissions could modify the saved state of a process session in Dynamics CRM and trigger the system to process that data, which could result in the server unintentionally executing malicious code.
Talos would also like to highlight the following "important" vulnerabilities as Microsoft has determined that their exploitation is "more likely:"
- CVE-2026-33835: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
- CVE-2026-33837: Windows TCP/IP Local Elevation of Privilege Vulnerability
- CVE-2026-33840: Win32k Elevation of Privilege Vulnerability
- CVE-2026-33841: Windows Kernel Elevation of Privilege Vulnerability
- CVE-2026-35416: Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
- CVE-2026-35417: Windows Win32k Elevation of Privilege Vulnerability
- CVE-2026-40369: Windows Kernel Elevation of Privilege Vulnerability
- CVE-2026-40397: Windows Common Log File System Driver Elevation of Privilege Vulnerability
- CVE-2026-40398: Windows Remote Desktop Services Elevation of Privilege Vulnerability
A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are: 1:66438-1:66445, 1:66451-1:66460, and 1:66470-1:66476.
The following Snort 3 rules are also available: 1:301494-1:301497, 1:301500-1:301506, 1:66472-1:66473, and 1:66476.
Source: FSecure
Source Link: https://blog.talosintelligence.com/microsoft-patch-tuesday-may-2026/