Microsoft Patch Tuesday May 2026 - Summary
Read Blog 
Watch webinar 94
Patches
120
Vulnerabilities
33
Articles
7
Impacts
CVE Index for May 2026 Patch Tuesday Updates
Critical Vulnerabilities
Zero-day vulnerabilities
Microsoft Windows
Microsoft
Office
Microsoft .NET
Others
| Vulnerable Component | Impact | CVE ID |
|---|---|---|
| Microsoft Dynamics 365 On-Premises | Remote Code Execution | CVE-2026-42898 |
| Microsoft Office | Remote Code Execution | CVE-2026-42831 |
| Microsoft SSO Plugin for Jira & Confluence | Elevation of Privilege | CVE-2026-41103 |
| Windows DNS Client | Remote Code Execution | CVE-2026-41096 |
| Windows Netlogon | Remote Code Execution | CVE-2026-41089 |
| Windows Graphics Component | Remote Code Execution | CVE-2026-40403 |
| Windows Hyper-V | Elevation of Privilege | CVE-2026-40402 |
| Microsoft Word | Remote Code Execution | CVE-2026-40367 |
| Microsoft Word | Remote Code Execution | CVE-2026-40366 |
| Microsoft SharePoint Server | Remote Code Execution | CVE-2026-40365 |
| Microsoft Word | Remote Code Execution | CVE-2026-40364 |
| Microsoft Office | Remote Code Execution | CVE-2026-40363 |
| Microsoft Word | Remote Code Execution | CVE-2026-40361 |
| Microsoft Office | Remote Code Execution | CVE-2026-40358 |
| Windows GDI | Remote Code Execution | CVE-2026-35421 |
| Windows Native WiFi Miniport Driver | Remote Code Execution | CVE-2026-32161 |
| No Zero-Day CVE for this Patch Tuesday |
| CVE ID | Severity | Impact |
|---|---|---|
| CVE-2026-42896 | Important | Elevation of Privilege |
| CVE-2026-41097 | Important | Security Feature Bypass |
| CVE-2026-41094 | Important | Remote Code Execution |
| CVE-2026-42833 | Important | Remote Code Execution |
| CVE-2026-41088 | Important | Elevation of Privilege |
| CVE-2026-41086 | Important | Elevation of Privilege |
| CVE-2026-40415 | Important | Remote Code Execution |
| CVE-2026-40414 | Important | Denial of Service |
| CVE-2026-40413 | Important | Denial of Service |
| CVE-2026-40410 | Important | Elevation of Privilege |
| CVE-2026-40408 | Important | Elevation of Privilege |
| CVE-2026-40407 | Important | Elevation of Privilege |
| CVE-2026-40406 | Important | Information Disclosure |
| CVE-2026-40405 | Important | Denial of Service |
| CVE-2026-40401 | Important | Denial of Service |
| CVE-2026-40399 | Important | Elevation of Privilege |
| CVE-2026-40398 | Important | Elevation of Privilege |
| CVE-2026-40397 | Important | Elevation of Privilege |
| CVE-2026-40382 | Important | Elevation of Privilege |
| CVE-2026-40380 | Important | Remote Code Execution |
| CVE-2026-40377 | Important | Elevation of Privilege |
| CVE-2026-40369 | Important | Elevation of Privilege |
| CVE-2026-42825 | Important | Elevation of Privilege |
| CVE-2026-35438 | Important | Elevation of Privilege |
| CVE-2026-35424 | Important | Denial of Service |
| CVE-2026-35423 | Important | Information Disclosure |
| CVE-2026-35422 | Important | Security Feature Bypass |
| CVE-2026-35420 | Important | Elevation of Privilege |
| CVE-2026-35419 | Important | Information Disclosure |
| CVE-2026-35418 | Important | Elevation of Privilege |
| CVE-2026-35417 | Important | Elevation of Privilege |
| CVE-2026-35416 | Important | Elevation of Privilege |
| CVE-2026-35415 | Important | Elevation of Privilege |
| CVE-2026-34351 | Important | Elevation of Privilege |
| CVE-2026-34350 | Important | Denial of Service |
| CVE-2026-34347 | Important | Elevation of Privilege |
| CVE-2026-34345 | Important | Elevation of Privilege |
| CVE-2026-34344 | Important | Elevation of Privilege |
| CVE-2026-34343 | Important | Elevation of Privilege |
| CVE-2026-34342 | Important | Elevation of Privilege |
| CVE-2026-34341 | Important | Elevation of Privilege |
| CVE-2026-34340 | Important | Elevation of Privilege |
| CVE-2026-34339 | Important | Denial of Service |
| CVE-2026-34338 | Important | Elevation of Privilege |
| CVE-2026-34337 | Important | Elevation of Privilege |
| CVE-2026-34336 | Important | Information Disclosure |
| CVE-2026-34334 | Important | Elevation of Privilege |
| CVE-2026-34333 | Important | Elevation of Privilege |
| CVE-2026-34332 | Important | Remote Code Execution |
| CVE-2026-34331 | Important | Elevation of Privilege |
| CVE-2026-34330 | Important | Elevation of Privilege |
| CVE-2026-34329 | Important | Remote Code Execution |
| CVE-2026-33841 | Important | Elevation of Privilege |
| CVE-2026-33840 | Important | Elevation of Privilege |
| CVE-2026-33839 | Important | Elevation of Privilege |
| CVE-2026-33838 | Important | Elevation of Privilege |
| CVE-2026-33837 | Important | Elevation of Privilege |
| CVE-2026-33835 | Important | Elevation of Privilege |
| CVE-2026-33834 | Important | Elevation of Privilege |
| CVE-2026-32209 | Important | Security Feature Bypass |
| CVE-2026-32170 | Important | Elevation of Privilege |
| CVE-2026-21530 | Important | Elevation of Privilege |
| CVE ID | Severity | Impact |
|---|---|---|
| CVE-2026-41102 | Important | Spoofing |
| CVE-2026-41101 | Important | Spoofing |
| CVE-2026-40421 | Important | Information Disclosure |
| CVE-2026-40420 | Important | Elevation of Privilege |
| CVE-2026-40419 | Important | Elevation of Privilege |
| CVE-2026-40418 | Important | Elevation of Privilege |
| CVE-2026-42832 | Important | Spoofing |
| CVE-2026-40370 | Important | Remote Code Execution |
| CVE-2026-40368 | Important | Remote Code Execution |
| CVE-2026-40362 | Important | Remote Code Execution |
| CVE-2026-40360 | Important | Information Disclosure |
| CVE-2026-40359 | Important | Remote Code Execution |
| CVE-2026-40357 | Important | Remote Code Execution |
| CVE-2026-35440 | Important | Information Disclosure |
| CVE-2026-35439 | Important | Remote Code Execution |
| CVE-2026-35436 | Important | Elevation of Privilege |
| CVE-2026-33112 | Important | Remote Code Execution |
| CVE-2026-33110 | Important | Remote Code Execution |
| CVE-2026-32185 | Important | Spoofing |
| CVE ID | Severity | Impact |
|---|---|---|
| CVE-2026-42899 | Important | Denial of Service |
| CVE-2026-41613 | Important | Elevation of Privilege |
| CVE-2026-41612 | Important | Information Disclosure |
| CVE-2026-41611 | Important | Remote Code Execution |
| CVE-2026-35433 | Important | Elevation of Privilege |
| CVE-2026-41610 | Important | Security Feature Bypass |
| CVE-2026-32177 | Important | Elevation of Privilege |
| CVE-2026-32175 | Important | Tampering |
| CVE-2026-41109 | Important | Security Feature Bypass |
| CVE ID | Severity | Impact |
|---|---|---|
| CVE-2026-40381 | Important | Elevation of Privilege |
| CVE-2026-42830 | Important | Elevation of Privilege |
| CVE-2026-42823 | Important | Elevation of Privilege |
| CVE-2026-33833 | Important | Spoofing |
| CVE-2026-33117 | Important | Security Feature Bypass |
| CVE-2026-32204 | Important | Elevation of Privilege |
| Vulnerable Component | CVE ID | Severity | Impact |
|---|---|---|---|
| Data Deduplication | CVE-2026-41095 | Important | Elevation of Privilege |
| Microsoft 365 Copilot for Android | CVE-2026-41100 | Important | Spoofing |
| Microsoft Outlook for iOS | CVE-2026-42893 | Important | Tampering |
| Microsoft Power Automate Desktop | CVE-2026-40374 | Important | Information Disclosure |
| OpenTelemetry-Go multi-value `baggage` header extraction causes excessive allocations (remote dos amplification) | CVE-2026-29181 | Important | Security Vulnerability |
| M365 Copilot for Desktop | CVE-2026-41614 | Important | Spoofing |
| Microsoft Dynamics 365 Business Central | CVE-2026-40417 | Important | Elevation of Privilege |
Previous Patch Tuesday Updates and Fixes
Microsoft Windows Patch Tuesday - Overview
What is Patch Tuesday?
Patch Tuesday or Update Tuesday is the common name for the second Tuesday of every month when Microsoft releases security updates for its operating system and other software. Coinciding with the Patch Tuesday, several other vendors such as Oracle, Mozilla, Adobe, and many others roll out updates for the third-party applications.
When is Patch Tuesday?
Patch Tuesday falls on the second Tuesday of each month. The upcoming Patch Tuesday is on Jun 16, 2026.
What is patching and why is it important?
Patches are nothing but pieces of software code that are written to fix a bug in a software application, that might lead to a vulnerability. Such vulnerabilities in any application are loop holes for attackers to get their hands on business critical data and information. So it is highly crucial to keep all the applications in a network updated to its latest versions. Updating applications in mobile phones and laptops also work in the same manner by preventing theft of personal data, through security flaws.
What kind of patch updates are released during Patch Tuesday?
Predominantly security patch updates of varying severity like Critical, Important, Moderate & Low are labeled and released. Effective Windows patch management involves prioritizing these based on severity, automating deployment, and ensuring rollback or compatibility testing. It is always a best practice to prioritize your patching based on the severity level mentioned.
What are CVE IDs?
CVE ID - Common Vulnerabilities and Exposure ID is a format in which each vulnerability is disclosed and cataloged in the National Vulnerability Database (NVD). You can look up for a detailed explanation of each vulnerability in the NVD with the help of CVE ID. In Patch Manager Plus you can make use of these CVE IDs to fetch the appropriate patches to deploy. You can find the CVE IDs here.
How to register for ManageEngine's Free Patch Tuesday webinar?
The upcoming Free Patch Tuesday webinar by ManageEngine is scheduled on -. You can make your registrations here.
Where can I find more details about individual bulletins?
Each CVE ID listed in the CVE Index section has been linked to its security advisory.