It's Patch Tuesday for Microsoft and Not a Zero-Day In Sight

APPLICATION SECURITY VULNERABILITIES & THREATS THREAT INTELLIGENCE NEWS It's Patch Tuesday for Microsoft and Not a Zero-Day In Sight It's the first time in two years with no zero-days. But with 137 flaws to patch, including nine critical ones, admins still have plenty of work to do. Jai Vijayan,Contributing Writer May 12, 2026 4 Min Read SOURCE: ANDRII YALANSKYI VIA SHUTTERSTOCK For the first time in nearly two years, Microsoft's monthly security update featured no actively exploited zero-day vulnerabilities or previously disclosed flaws. But that welcome reprieve aside, Microsoft's May 2026 update contained fixes for 137 CVEs, 13 of which Microsoft considers as likely candidates for exploitation and nine of which the company rated as critical. These include two in Microsoft Office Word, where the Preview Pane is an attack vector, plus five others with near-maximum severity scores of 9.8 or 9.9 on the 10-point CVSS scale. 500 CVEs in 2026 and Counting This is the third month this year where Microsoft has disclosed more than 100 CVEs in a Patch Tuesday update. Through May, the company had already patched over 500 CVEs, which puts it on pace to surpass the annual record of 1,245 bugs Microsoft disclosed in 2020, said Satnam Naranag, senior staff research engineer at Tenable. Related:Worm Redux: Fresh Mini Shai-Hulud Infections Bite Supply Chain According to Tom Gallagher, Microsoft's vice president of engineering, large releases could soon be the norm, with AI helping researchers uncover more vulnerabilities than before. "This month's release sits on the larger side of a hotpatch month, and we expect releases to continue trending larger for some time," Gallagher said in a blog post. "Advanced AI models are part of the discovery picture and help to accelerate it. They enable us to reason about code paths and configurations at a speed and consistency that would not be possible through manual review alone." The two Microsoft Office Word vulnerabilities in Microsoft's latest update with the preview pane attack vector are CVE-2026-40361 (CVSS 8.4) and CVE-2026-40364 (CVSS 8.4). The former is a memory-related vulnerability that allows a remote attacker to execute code locally on vulnerable systems. CVE-2026-40464 too is a remote code execution (RCE) bug stemming from a type-confusion issue. Neither vulnerability requires any user interaction. An attacker can trigger the flaws by simply sending a maliciously crafted document. "Outlook's reading pane has long been a common attack vector; a single incoming email can trigger exploitation without the user ever opening it," warned Amol Sarwate, head of security research at Cohesity, in a statement. Nine Near Max-Severity Vulnerabilities  Among the nine vulnerabilities in the May update with a severity score of 9.0 or greater — a rarity in recent Microsoft Patch Tuesday releases — are three with a near maximum rating of 9.9 out of 10 on the CVSS scale: CVE-2026-42898, CVE-2026-42823, and CVE-2026-33109. Related:'TrustFall' Convention Exposes Claude Code Execution Risk Of these, CVE-2026-42898, an RCE in Microsoft Dynamics 365 On-premises, is the most pressing. The code-injection flaw enables an authenticated remote attacker to execute arbitrary code. Though an attacker does not require admin or other elevated privileges to exploit the attack, Microsoft itself has categorized the flaw as one attackers are unlikely to exploit. But Jack Bicer, director of vulnerability research at Action1, recommended organizations patch it immediately anyway. "With no user interaction required, and the potential to impact systems beyond the vulnerable component's original security scope, this vulnerability poses serious enterprise risk," he said in emailed comments. An attacker who successfully exploits the vulnerability can access customer records, operational workflows, financial information, and integrated business systems, he explained. "Since CRM environments often connect with identity services, databases, and enterprise applications, successful exploitation could lead to broader organizational compromise and operational disruption." The other two bugs with a 9.9 severity score affect Azure. CVE-2026-42823 is an elevation-of-privilege vulnerability in Azure Logic Apps. According to Microsoft, the company will notify organizations via Azure Service Health notification if they are impacted by the flaw and provide specific mitigation advice. CVE-2026-33109 is an RCE that affects Azure Managed Instance for Apache Cassandra. Users don't have to do anything to address the flaw because Microsoft has already mitigated it fully. "There is no action for users of this service to take. The purpose of this CVE is to provide further transparency," Microsoft said. Related:Reverse Engineering With AI Unearths High-Severity GitHub Bug Severe Netlogon Flaw Jason Kikta, security researcher at Automox, highlighted CVE-2026-41089, an RCE in Windows Netlogon, as another flaw that organizations should prioritize. "An attacker sends a crafted network request to a domain controller. No authentication required. No user interaction required. If you've been doing this long enough, the description language sounds sadly familiar," Kitka said in prepared comments. Organizations, he advised, should keep an eye out for unexpected crashes or service restarts on the Netlogon service across their domain controllers. They should also be monitoring for anomalous Netlogon traffic patterns from non-domain controller source addresses, particularly malformed requests, authentication failures, or domain trust errors immediately after suspicious network activity hitting a domain controller. A total of seven CVEs affecting Copilot and Azure AI Foundry highlighted the growing exposure that organizations face from AI tools, added Tyler Reguly, associate director of security R&D at Fortra. "Are we aware of all our uses of AI?" Reguly asked in an emailed statement, adding that 6% of the CVEs this month were AI-based. "We know that number is only going to grow from here," he noted. "What other instances of AI might be in use in your organization that are not backed by a company with a regular update schedule like Microsoft?" About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? Your Guide to Securing AI Adoption in Your Organization The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You More Webinars You May Also Like APPLICATION SECURITY Supply Chain Attack Secretly Installs OpenClaw for Cline Users by Rob Wright FEB 19, 2026 APPLICATION SECURITY Chinese Hackers Hijack Notepad++ Updates for 6 Months by Jai Vijayan, Contributing Writer FEB 02, 2026 APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE LOADING... RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS