# May 2026 Patch Tuesday comes with fixes for 120 Vulnerabilities, no zero-days reported! May arrives with warmer days, summer plans, and another important Patch Tuesday release from Microsoft. This month’s release fixes 120 vulnerabilities across Windows, Office, and other Microsoft products, with no publicly disclosed zero-days reported. The update includes several critical Remote Code Execution (RCE) and Elevation of Privilege flaws that could allow attackers to gain unauthorized access or execute malicious code on affected systems. Organizations should prioritize applying these updates to reduce security risks and strengthen their defenses against evolving cyber threats. ## May 2026 Security Updates Lineup - Total CVEs fixed: 120 - Critical vulnerabilities: 16 ## Affected Products, Features, and Roles Security updates have been released for several critical Microsoft products, including: - Windows Kernel - Microsoft Office - Microsoft Office SharePoint - SQL Server - .NET and Visual Studio - Microsoft Edge - Azure-related services and components To view the complete list of affected products, features, and roles, please refer to the [MSRC Release Notes](https://msrc.microsoft.com/update-guide/releaseNote/2026-May). ## Vulnerability Breakdown Patch Tuesday wouldn’t be complete without a breakdown of the vulnerability types. Here’s how this month’s vulnerabilities are distributed: - **Elevation of Privilege Vulnerabilities (58):** Attackers could gain admin-level access from a normal user account and take greater control of the system. - **Remote Code Execution Vulnerabilities (29):** Attackers could run harmful code on a system remotely, often without needing direct access to the device. - **Information Disclosure Vulnerabilities (9):** Sensitive information like credentials or system data could be exposed to unauthorized users. - **Denial of Service Vulnerabilities (8):** Attacks that halt services, causing significant disruption. - **Spoofing Vulnerabilities (7):** Attackers may pretend to be a trusted user or service to mislead users or gain unauthorized access. - **Security Feature Bypass Vulnerabilities (6):** These flaws may let attackers get around built-in security protections and avoid certain defenses. - **Tampering (3):** Attackers could modify data, files, or configurations in an unauthorized way, potentially impacting system integrity. ## Third-party Security Updates Several vendors have issued critical security patches this month: - **Adobe** released security patches for multiple Creative Cloud and Commerce products. - **AMD** fixed a privilege escalation flaw affecting Zen 2-based processors. - **Apple** issued security updates across macOS, iOS, iPadOS, watchOS, visionOS, and tvOS. - **Cisco** patched multiple vulnerabilities, including a denial-of-service flaw. - **Fortinet** addressed two critical flaws in FortiSandbox and FortiAuthenticator. - **Google** released Android May updates fixing 10 vulnerabilities. - **Ivanti** fixed an actively exploited remote code execution flaw in Endpoint Manager Mobile. - **Mozilla** patched five security vulnerabilities in Firefox. - **Palo Alto Networks** warned of an actively exploited PAN-OS zero-day vulnerability. - **SAP** released fixes for multiple high-severity and critical vulnerabilities. - **vm2** patched a critical vulnerability in its Node.js sandboxing library. May arrives with brighter days, but the threat landscape shows no signs of clearing. Organizations are encouraged to review this month's updates and apply the necessary patches promptly to maintain a secure and resilient environment. With [Endpoint Central](https://www.manageengine.com/products/desktop-central/), [Patch Manager Plus](https://www.manageengine.com/patch-management/index1.html), and [Vulnerability Manager Plus](https://www.manageengine.com/vulnerability-management/), you can streamline the entire patch management process: from testing patches to deploying them to mitigating vulnerabilities effectively. You can also tailor patch tasks according to your enterprise needs.