Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for May 2026, which includes 112 vulnerabilities affecting a range of products, including 16 that Microsoft marked as “critical”.

By   Jaeson Schultz   Microsoft has released its monthly security update for May 2026, which includes 137 vulnerabilities affecting a range of products, including 31 that Microsoft marked as “critical”.   In this month's release, Microsoft has not observed any of the included vulnerabilities being actively exploited in the wild.

Out of 31 "critical" entries, 16 are remote code execution (RCE) vulnerabilities in Microsoft Windows services and applications including Microsoft Office, Microsoft Word, Windows Native WiFi Miniport Driver, Azure, Office for Android, Microsoft Dynamics 365, Windows GDI, Microsoft SharePoint, Windows Graphics Component, Windows Netlogon, and Windows DNS Client.   CVE-2026-32161  is a critical use after free vulnerability.

 Concurrent execution using a shared resource with improper synchronization ('race condition') in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network.   CVE-2026-33109 is a critical access control vulnerability in Azure Managed Instance for Apache Cassandra. Improper access control allows an authorized attacker to execute code over a network. CVE-2026-33844 is a critical input validation vulnerability in Azure Managed Instance for Apache Cassandra. Improper input validation allows an authorized attacker to execute code over a network.

CVE-2026-35421  is a critical heap-based buffer overflow vulnerability in Windows GDI that allows an unauthorized attacker to execute code locally. For this vulnerability to be exploited, a user would need to open or otherwise process a specially crafted Enhanced Metafile (EMF) file using Microsoft Paint. This action is necessary to trigger the affected graphics functionality in the Windows component.   CVE-2026-40358  is a critical use after free vulnerability in Microsoft Office which allows an unauthorized attacker to execute code locally.

  CVE-2026-40361  is a critical use after free vulnerability in Microsoft Word that allows an unauthorized attacker to execute code locally.   CVE-2026-40363  is a critical heap-based buffer overflow in Microsoft Office which allows an unauthorized attacker to execute code locally.   CVE-2026-40364  is a critical heap-based buffer overflow vulnerability. Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.   CVE-2026-40365  is a critical vulnerability affecting Microsoft SharePoint.

Insufficient granularity of access control allows an authorized attacker to execute code over a network.  In a network-based attack, an authenticated attacker, as at least a Site Owner, could write arbitrary code to inject and execute code remotely on the SharePoint Server.