Monthly Patch
May 2026 Monthly Patch
13 May 2026
Microsoft has released security patches to address multiple vulnerabilities in their software and products.
Microsoft has released security patches to address multiple vulnerabilities in their software and products.
The vulnerabilities that have been classified as Critical in severity are listed in the table below.
For the full list of security patches released by Microsoft, please refer to https://msrc.microsoft.com/update-guide/en-us/releaseNote/2026-May
Critical Vulnerabilities
CVE Number | CVE Name | Base Score | Reference |
|---|---|---|---|
CVE-2026-42826 | Azure DevOps Information Disclosure Vulnerability | 10.0 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42826 |
CVE-2026-42898 | Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability | 9.9 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42898 |
CVE-2026-33109 | Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability | 9.9 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-33109 |
CVE-2026-31718 | ksmbd: fix use-after-free in __ksmbd_close_fd() via durable scavenger | 9.8 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-31718 |
CVE-2026-31705 | ksmbd: fix out-of-bounds write in smb2_get_ea() EA alignment | 9.8 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-31705 |
CVE-2026-41089 | Windows Netlogon Remote Code Execution Vulnerability | 9.8 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41089 |
CVE-2026-41096 | Windows DNS Client Remote Code Execution Vulnerability | 9.8 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41096 |
CVE-2026-33823 | Microsoft Team Events Portal Information Disclosure Vulnerability | 9.6 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-33823 |
CVE-2026-35428 | Azure Cloud Shell Spoofing Vulnerability | 9.6 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-35428 |
CVE-2026-40402 | Windows Hyper-V Elevation of Privilege Vulnerability | 9.3 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-40402 |
CVE-2026-40379 | Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability | 9.3 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-40379 |
CVE-2026-41103 | Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability | 9.1 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41103 |
CVE-2026-33844 | Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability | 9.0 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-33844 |
CVE-2026-40403 | Windows Graphics Component Remote Code Execution Vulnerability | 8.8 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-40403 |
CVE-2026-40365 | Microsoft SharePoint Server Remote Code Execution Vulnerability | 8.8 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-40365 |
CVE-2026-32207 | Azure Machine Learning Notebook Spoofing Vulnerability | 8.8 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32207 |
CVE-2026-35435 | Azure AI Foundry Elevation of Privilege Vulnerability | 8.6 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-35435 |
CVE-2026-40367 | Microsoft Word Remote Code Execution Vulnerability | 8.4 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-40367 |
CVE-2026-40366 | Microsoft Word Remote Code Execution Vulnerability | 8.4 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-40366 |
CVE-2026-40364 | Microsoft Word Remote Code Execution Vulnerability | 8.4 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-40364 |
CVE-2026-40361 | Microsoft Word Remote Code Execution Vulnerability | 8.4 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-40361 |
CVE-2026-40363 | Microsoft Office Remote Code Execution Vulnerability | 8.4 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-40363 |
CVE-2026-40358 | Microsoft Office Remote Code Execution Vulnerability | 8.4 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-40358 |
CVE-2026-34327 | Microsoft Partner Center Spoofing Vulnerability | 8.2 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-34327 |
CVE-2026-41105 | Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability | 8.1 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-41105 |
CVE-2026-35421 | Windows GDI Remote Code Execution Vulnerability | 7.8 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-35421 |
CVE-2026-42831 | Microsoft Office Remote Code Execution Vulnerability | 7.8 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-42831 |
CVE-2026-33821 | Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability | 7.7 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-33821 |
CVE-2026-32161 | Windows Native WiFi Miniport Driver Remote Code Execution Vulnerability | 7.5 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-32161 |
CVE-2026-26164 | M365 Copilot Information Disclosure Vulnerability | 7.5 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-26164 |
CVE-2026-26129 | M365 Copilot Information Disclosure Vulnerability | 7.5 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-26129 |
CVE-2026-33111 | Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability | 7.5 | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-33111 |
CVE-2026-6722 | Use-After-Free in SOAP using Apache map | TBD | https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2026-6722 |