Microsoft Fixes 120 Security Vulnerabilities in May Patch Tuesday Updates

Microsoft Security Response Center has released its May 2026 Patch Tuesday updates, addressing 120 security vulnerabilities across Windows, Office, Edge and Microsoft cloud services.

The latest security rollout includes 30 vulnerabilities classified as critical severity issues, while the remaining flaws are categorized as high risk. Microsoft says none of the vulnerabilities are currently known to be actively exploited in the wild.

Windows Receives 66 Security Fixes

A total of 66 vulnerabilities patched this month affect supported versions of Windows 11, Windows 10 and Windows Server platforms.

Among the most serious flaws is CVE-2026-41096, a critical remote code execution vulnerability impacting the Windows DNS client. Because the DNS client operates on virtually all Windows systems, security researchers consider the flaw especially dangerous.

According to Microsoft, attackers could exploit the vulnerability through malicious DNS responses, potentially allowing arbitrary code execution on affected machines.

Another major issue, CVE-2026-41089, targets Windows Netlogon. The vulnerability could reportedly allow attackers to execute code on domain controllers without authentication by sending specially crafted network requests.

Office Vulnerabilities Include Critical Word Flaws

Microsoft also fixed 27 vulnerabilities affecting its Office product family, nearly doubling the number patched during the previous month’s update cycle.

The fixes include 15 remote code execution vulnerabilities, eight of which Microsoft classifies as critical severity flaws. Four of the critical vulnerabilities specifically affect Microsoft Word.

Several of the Office vulnerabilities can reportedly be triggered through the preview pane alone, meaning users may not need to fully open malicious documents for attacks to succeed.

Microsoft additionally patched a critical data exposure issue affecting the Team Events Portal as well as two critical data leak vulnerabilities tied to Microsoft 365 Copilot.

Edge Browser Update Fixes More Than 120 Chromium Flaws

Separately, Microsoft Edge version 148.0.3967.54 received a major security update based on Chromium 148.0.7778.97.

The release patches 127 Chromium-related vulnerabilities in addition to three Edge-specific flaws and two vulnerabilities affecting Edge for Android devices.

Microsoft’s unusually large May update arrives just ahead of the Pwn2Own Berlin hacking competition beginning May 14, where major technology vendors traditionally face increased scrutiny from security researchers attempting to uncover new exploits.

The next Patch Tuesday release is scheduled for June 9, 2026.