Yesterday was May’s Patch Tuesday, meaning Microsoft released new updates that addressed 120 security vulnerabilities. In addition to Windows and Office, Microsoft’s cloud services were also affected. So far, none of the vulnerabilities are being exploited in the wild. Microsoft has classified a total of 30 security vulnerabilities as critical, while the remainder are all rated as high risk.
It’s an unusually high number of fixed flaws for a Patch Tuesday. It could be explained by the fact that the Pwn2Own hacking competition starts in Berlin on May 14th, motivating Microsoft to fix as much as they can to avoid any unwanted negative attention.
The next Patch Tuesday is scheduled for June 9th, 2026.
Windows vulnerabilities fixed
A large number of the vulnerabilities—66 this time around—are spread across the various Windows versions (10, 11, Server). Support for Windows 10 ended in October 2025, but users enrolled in the Extended Security Updates program continue to receive updates.
Five of the Windows vulnerabilities addressed this month are remote code execution (RCE) vulnerabilities classified as critical. CVE-2026-41096 in the DNS client is especially problematic because it runs on virtually every Windows machine. To exploit the vulnerability, all you need is a malicious response to a DNS query—an attacker who controls a DNS server, for example, can execute arbitrary code on any PC.
There’s also CVE-2026-41089 in Windows Netlogon, in which an attacker can execute code on a domain controller without logging in by sending specially crafted network requests.
Tip: Whether you keep your system up to date, you need proper antivirus protections if you want your PC to remain secure and private. Check out our picks for the best antivirus software for Windows as well as best VPN services to stay ahead of security problems.
Microsoft Office vulnerabilities fixed
Microsoft has fixed 27 vulnerabilities in its Office family of products, just under twice as many as were fixed in April.
These include 15 RCE vulnerabilities, eight of which—four in Word alone—are classified as critical. In these cases, the preview pane itself is an attack vector. A user doesn’t even need to fully launch an infected file with Office to trigger a successful attack.
Microsoft also classifies a data leak in its Team Events Portal (CVE-2026-33823) as critical, which the manufacturer has already patched. Two data leaks in Microsoft 365 Copilot (CVE-2026-26129 and CVE-2026-26164) are also considered critical.
Microsoft Edge vulnerabilities fixed
The latest security update for the Edge browser version 148.0.3967.54 is dated May 7th and is based on Chromium 148.0.7778.97.
It addresses 127 Chromium-based security vulnerabilities, which aren’t included in the total number of Patch Tuesday fixes mentioned above. In addition, the update fixes three Edge-specific vulnerabilities as well as two vulnerabilities in Edge for Android.
This articles is written by : Nermeen Nabil Khear Abdelmalak
All rights reserved to : USAGOLDMIES . www.usagoldmines.com
You can Enjoy surfing our website categories and read more content in many fields you may like .
Why USAGoldMines ?
USAGoldMines is a comprehensive website offering the latest in financial, crypto, and technical news. With specialized sections for each category, it provides readers with up-to-date market insights, investment trends, and technological advancements, making it a valuable resource for investors and enthusiasts in the fast-paced financial world.