Microsoft’s May 2026 Patch Tuesday has arrived, addressing a substantial 120 security vulnerabilities across its product portfolio — with 17 rated Critical and no zero-day exploits actively targeted in the wild at time of release.
What Was Patched This Month?
May 2026’s Patch Tuesday is one of the larger monthly releases, covering 120 Common Vulnerabilities and Exposures (CVEs). The breakdown by severity is as follows:
- Critical: 17 vulnerabilities
- Important: 101 vulnerabilities
- Moderate: 2 vulnerabilities
By vulnerability type, the release is dominated by Elevation of Privilege (EoP) flaws at 61, followed by Remote Code Execution (RCE) at 31. This pattern is consistent with recent Patch Tuesday releases, where privilege escalation bugs are increasingly common as attackers seek to gain SYSTEM-level access once they have an initial foothold.
Notable Critical Vulnerabilities
CVE-2026-35421 — Windows GDI Remote Code Execution
One of the most concerning critical vulnerabilities this month is a Remote Code Execution flaw in the Windows Graphics Device Interface (GDI). Attackers could exploit this by convincing a user to open a specially crafted Enhanced Metafile (EMF) file, potentially executing malicious code with the victim’s privileges. This type of file-borne attack is a common delivery mechanism via phishing emails and compromised websites.
CVE-2026-40365 — Microsoft SharePoint Server RCE (Authenticated)
An authenticated Remote Code Execution vulnerability in SharePoint Server means that an attacker who has obtained valid credentials — potentially via phishing or credential stuffing — could execute code on the server. While authentication is required, this remains high severity given SharePoint’s role as a central collaboration hub in many organisations.
CVE-2026-41096 — Windows DNS Client RCE
A critical RCE in the Windows DNS Client is particularly noteworthy because DNS is a foundational network service running on virtually every Windows device. Successful exploitation could allow an attacker to execute arbitrary code through a malicious DNS response, potentially without any user interaction.
Third-Party Patches: Palo Alto and Fortinet
This month’s security update cycle also included significant patches from major security vendors:
- Palo Alto Networks released a patch addressing a zero-day vulnerability in its firewall and network security products. Zero-days in security appliances are particularly dangerous as these devices are designed to protect the network perimeter.
- Fortinet issued patches for critical flaws in its FortiGate and related products. Fortinet vulnerabilities have been a recurring theme in recent cybersecurity incidents, with threat actors actively targeting unpatched devices.
Why Prompt Patching Matters
While no zero-days were actively exploited at the time of release this month, historical data shows that attackers often begin scanning for and exploiting newly disclosed vulnerabilities within days of a Patch Tuesday release. The gap between disclosure and patch deployment is a window of opportunity for threat actors.
For UK businesses, this is particularly relevant given the Information Commissioner’s Office (ICO) guidance on maintaining up-to-date software as part of reasonable technical security measures under UK GDPR. A known, unpatched vulnerability that leads to a breach could be considered negligent.
How BIT Tech Can Help
Keeping on top of monthly patch cycles across a fleet of Windows devices, servers, and network appliances is a significant operational challenge. At BIT Tech IT Solutions, we provide managed IT support services that include proactive patch management — ensuring your systems are updated promptly and tested before full deployment.
If you’re concerned about your current patching posture or want to discuss how we can help secure your IT infrastructure, get in touch with our team today.
