Microsoft's May 2026 Patch Tuesday Fixes 130+ Vulnerabilities, Including 17 "Critical" Ones

Microsoft has released its May 2026 Patch Tuesday updates for Windows 11 and Windows 10, shipping as KB5089549 and KB5087544. The updates include fixes for more than 130 security vulnerabilities across Windows, Office, SharePoint, DNS components, and core system services, as Bleeping Computer writes.

While no publicly disclosed zero-day vulnerabilities were reported this month, the large number of remote code execution flaws still makes this one of the more important Patch Tuesday releases of 2026.

17 critical vulnerabilities patched

Microsoft patched 17 vulnerabilities rated Critical during the May rollout. Most of them involve remote code execution risks.

The breakdown includes 14 remote code execution vulnerabilities, two elevation of privilege flaws, and one information disclosure issue.

Across the full Patch Tuesday release, Microsoft addressed:

• 61 elevation of privilege vulnerabilities
• 31 remote code execution vulnerabilities
• 14 information disclosure vulnerabilities
• 13 spoofing vulnerabilities
• 8 denial of service vulnerabilities
• 6 security feature bypass vulnerabilities

Enterprise administrators are expected to prioritize systems exposed to external networks or environments handling untrusted files and attachments.

Office vulnerabilities remain a major concern

Several patched vulnerabilities affect Microsoft Office applications including Microsoft Word and Microsoft Excel.

Some of the flaws reportedly allow attackers to trigger code execution simply by convincing users to open malicious documents. In certain cases, exploitation may reportedly occur through the preview pane alone, increasing risk for environments processing large volumes of email attachments.

Organizations using Office heavily across corporate email systems will likely want to prioritize deployment quickly.

Windows GDI flaw can trigger remote code execution through images

One of the more notable vulnerabilities patched this month is CVE-2026-35421, a Windows GDI remote code execution vulnerability.

The flaw can reportedly be exploited using specially crafted EMF image files opened inside Microsoft Paint. Successful exploitation could allow attackers to execute arbitrary code on affected systems.

SharePoint and DNS vulnerabilities also patched

Microsoft also fixed CVE-2026-40365, a remote code execution vulnerability affecting Microsoft SharePoint Server.

The flaw reportedly allows authenticated attackers to execute code remotely over the network, making internet-facing SharePoint deployments especially important to patch.

Another notable vulnerability, CVE-2026-41096, affects the Windows DNS Client service. The issue reportedly allows a malicious DNS server to send crafted DNS responses that trigger memory corruption and potentially remote code execution.

Systems connected to untrusted or compromised DNS infrastructure may face elevated risk until patched.

Windows 11 update also fixes BitLocker recovery issues

Beyond security fixes, the Windows 11 KB5089549 update also resolves issues involving unexpected BitLocker recovery prompts that some users encountered after previous updates.

Microsoft has not reported any actively exploited zero-days this month, which slightly lowers immediate emergency response pressure. However, the unusually large number of remote code execution vulnerabilities still makes rapid deployment highly recommended for enterprise and consumer systems alike.