Microsoft has marked May 2026 Patch Tuesday by releasing fixes for 120+ CVE-numbered vulnerabilities, none of which (for a change) are actively exploited or have been publicly disclosed.
Still, some deserve more consideration and should be addressed sooner than others.
Patches to prioritize
For Satnam Narang, senior staff research engineer at Tenable, the four critical remote code execution bugs in Microsoft Word stand out in this release, and especially the two (CVE-2026-40361, CVE-2026-40364) that have been deemed by Microsoft more likely to be exploited.
“These flaws could be exploited by an attacker who sends a malicious document to a target. The other common thread across these vulnerabilities is that a target doesn’t need to even open the document to trigger the exploit. Exploitation is possible just by viewing a malicious document in the Preview Pane. Therefore, patching is the most reliable way to protect against flaws like these,” he explained his reasoning.
Jason Kikta, CTO at Automox, says that CVE-2026-41089, a stack-based buffer overflow in Windows Netlogon that could lead to remote code execution, should be patched on all domain controllers in the same maintenance window.
“Half-patched forests are not a defensible state for a pre-auth DC bug,” he noted.
The vulnerability can be triggered by a specially crafted network request to a Windows server that is acting as a domain controller, and may allow the attacker to run code on the affected system without needing to sign in or have prior access, Microsoft explained.
Aside from patching, he also advises restricting Netlogon traffic at the network layer. “Domain controllers do not need to accept Netlogon from arbitrary segments,” he opined.
CVE-2026-40402 is a elevation of privilege vulnerability in Hyper-V, Windows’ built-in hypervisor, which lets users run multiple virtual machines on a single physical computer.
This issue could allow a malicious guest VM to force the host’s kernel to read from a memory address of the attacker’s choosing, and potentially set up the stage for a guest-to-host escalation.
Though the vulnerability is less likely to be exploited (according to Microsoft), Kikta advises organizations to patch multi-tenant virtual desktop infrastructure, on-premises virtualization with untrusted workloads, or any Hyper-V host running guests they don’t fully control.
Finally, CVE-2026-41096 can be exploited by sending a specially crafted DNS response to a Windows system with a vulnerable DNS Client.
“In certain configurations, this could allow the attacker to run code remotely on the affected system without authentication,” Microsoft noted, but did not specify the susceptible configurations.
Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, pointed out that since the DNS Client runs on virtually every Windows machine, the attack surface is enormous.
“An attacker with a position to influence DNS responses (MitM, rogue server) could achieve unauthenticated RCE across your enterprise,” he explained.
Kikta advised organizations to patch all Windows servers and endpoints. “Any Windows host issuing a DNS query is potentially in scope, which includes every workstation sitting behind a compromised resolver,” he pointed out.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
