Microsoft's May 2026 Patch Tuesday rollup closes 120 vulnerabilities across the Windows ecosystem, and for once none of them were being exploited in the wild at release time — there are no zero-days this month. Of the total, 17 carry a "Critical" rating, and Office, SharePoint, and a Windows DNS Client bug stand out as the fixes worth pushing first. Several other major vendors shipped concurrent advisories, some of them for flaws that are under active attack.

What's in the rollup

This month's batch fixes 120 distinct CVEs. Microsoft flagged 17 of them as Critical, and that critical tier breaks down into 14 remote code execution (RCE) bugs, 2 elevation of privilege (EoP) issues, and 1 information disclosure flaw.

Looking at the full set by vulnerability class:

  • 61 Elevation of Privilege vulnerabilities
  • 31 Remote Code Execution vulnerabilities
  • 14 Information Disclosure vulnerabilities
  • 13 Spoofing vulnerabilities
  • 8 Denial of Service vulnerabilities
  • 6 Security Feature Bypass vulnerabilities

Elevation of privilege dominates the count, which is the usual shape for a Patch Tuesday — most of these require an attacker to already have a foothold. The RCE bugs, and especially the critical ones reachable through everyday user actions, are where the real urgency sits.

Office in the crosshairs

Microsoft's productivity suite drew a lot of fixes this cycle. Multiple RCE vulnerabilities were patched in Microsoft Office, Word, and Excel. The dangerous part is the trigger: these can be set off through a booby-trapped file attachment, and in some cases simply by rendering the file in the preview pane — no explicit "open" or macro-enable click required. That low bar for exploitation is why Microsoft is urging anyone who routinely handles email attachments to patch without delay.

Three RCE bugs worth prioritizing

A handful of named flaws are the ones to chase down first:

  • CVE-2026-35421 — Windows GDI / Microsoft Paint. A remote code execution weakness in the Windows Graphics Device Interface that is triggered by a malicious Enhanced Metafile (EMF). The attack surface here runs through Microsoft Paint handling a crafted EMF image. References: NVD entry for CVE-2026-35421 and the CVE.org record.
  • CVE-2026-40365 — SharePoint Server. An authenticated attacker can run arbitrary code on the server. Authentication lowers the immediate risk somewhat, but on internet-facing or heavily shared SharePoint deployments this is a high-value target — credential theft plus this bug equals server compromise. Reference: CVE.org record for CVE-2026-40365.
  • CVE-2026-41096 — Windows DNS Client. A specially crafted DNS response can lead to remote code execution on the client resolving the name. Because clients accept responses as part of normal name resolution, this is a particularly nasty class of bug for anyone in a position to tamper with DNS traffic.

Other vendors patching this cycle

Microsoft wasn't alone. The same window saw a wave of advisories elsewhere, and a couple of them cover flaws already being exploited:

  • Adobe — patches across multiple products
  • AMD — fixes for CPU cache vulnerabilities
  • Apple — updates for macOS, iOS, and related platforms
  • Cisco — a large batch of security updates
  • Fortinet — fixes for critical FortiSandbox and FortiAuthenticator flaws
  • Google — Android security bulletin updates
  • Ivanti — patches for actively exploited zero-day vulnerabilities
  • Mozilla — a Firefox update
  • Palo Alto Networks — a warning about an actively exploited firewall authentication portal vulnerability

It's worth drawing the line clearly: Microsoft reported no zero-days this month, but Ivanti and Palo Alto Networks are dealing with flaws under active attack. If you run those products, their fixes likely outrank the Microsoft ones in your queue.

Technical background: how EMF/GDI image bugs get exploited

This section explains how this general class of vulnerability works; it is not a description of the specific internals of CVE-2026-35421.

Enhanced Metafile (EMF) is a vector image format made up of a sequence of drawing records that the Windows Graphics Device Interface (GDI) replays to render the picture. Each record encodes an operation and its parameters. Historically, image-parsing RCE bugs in GDI arise when a record's declared sizes or counts aren't validated against the actual data buffer — a malformed record can drive an out-of-bounds read or write, heap corruption, or a controlled allocation, which an attacker can chain toward code execution inside the process doing the rendering. Because rendering can be triggered by an application that displays an image rather than one the user deliberately runs, the user interaction required is often minimal.

Defensively, the priorities for image- and document-parsing RCE classes are consistent:

  • Patch first, everywhere. These bugs sit in shared OS components, so the fix is the update itself.
  • Reduce passive rendering. Disabling the preview pane in Outlook and File Explorer removes the "render without opening" path that makes attachment-borne and image-borne bugs so cheap to exploit.
  • Verify deployment. After patching, confirm the update is actually present rather than assuming it rolled out. On a single host you can list installed fixes with PowerShell:

# List installed updates, newest first
Get-HotFix | Sort-Object InstalledOn -Descending

# Check the OS build to confirm it matches the patched build
[System.Environment]::OSVersion.Version
Get-ComputerInfo -Property OsBuildNumber, WindowsVersion

Recommendations

Lead with the Office and SharePoint fixes. Both have a high likelihood of being targeted — Office because the trigger can be as simple as a previewed attachment, and SharePoint because authenticated RCE on a shared server is a natural pivot point. Environments where users open email attachments all day long, and any internet-facing SharePoint instance, should be patched on the shortest schedule you can manage. Don't lose track of the DNS Client RCE either, and remember that the Ivanti and Palo Alto Networks issues are already being actively exploited.

For the authoritative, per-CVE details, Microsoft's Security Update Guide is the canonical source.