Microsoft's May 2026 Patch Tuesday Fixes ~120+ Flaws With No Zero-Days — First Since June 2024
Microsoft's May 13, 2026 Patch Tuesday addressed a large batch of vulnerabilities with no actively exploited or publicly disclosed zero-days—the first such cycle since June 2024.
VERDICT — CONFIRMED

Microsoft's May 13, 2026 Patch Tuesday addressed a large batch of vulnerabilities with no actively exploited or publicly disclosed zero-days—the first such cycle since June 2024. Tallies varied slightly by source: BleepingComputer and several outlets reported approximately 120 CVEs including 17 critical (with 14 remote-code-execution flaws, two elevation-of-privilege and one information-disclosure), while Malwarebytes counted 137 vulnerabilities including 31 marked critical.
Notable fixes included CVE-2026-42898, a remote-code-execution flaw in on-premises Microsoft Dynamics 365 rated CVSS 9.9 that requires no user interaction; CVE-2026-40361 (CVSS 8.4), a use-after-free flaw in Microsoft Word allowing local code execution when a malicious document is opened; and CVE-2026-35421 (CVSS 7.8), a heap-based buffer-overflow in Windows GDI triggered by processing a specially crafted Enhanced Metafile via Microsoft Paint. Outlets stressed that despite the absence of zero-days, the cycle remained significant because many critical bugs enabled RCE across Windows services, Office, Azure, SharePoint and graphics components, and they urged prompt patching.
The zero-day-free month was framed as a notable, if temporary, reprieve following an extended run of monthly in-the-wild exploitation, and stands in contrast to the same period's out-of-band Defender and Exchange fixes, which addressed separately disclosed actively exploited flaws.

