Microsoft Patches 137 Flaws, Highlighting Word Preview Pane and Netlogon RCE Risks
Microsoft released its May Patch Tuesday updates fixing 137 vulnerabilities across Windows, Office, Azure, Dynamics 365, SharePoint, Copilot, and other products, with no actively exploited zero-days or publicly disclosed flaws reported at release. The update included multiple high-severity remote code execution bugs, notably Microsoft Word flaws CVE-2026-40361 and CVE-2026-40364, which can be triggered through the Preview Pane by sending a malicious document, as well as CVE-2026-42898 in Microsoft Dynamics 365 On-Premises, CVE-2026-42823 in Azure Logic Apps, and CVE-2026-33109 in Azure Managed Instance for Apache Cassandra. Researchers also flagged CVE-2026-41089 in Windows Netlogon and CVE-2026-41096 in Windows DNS Client as especially urgent because they expose broadly deployed enterprise infrastructure to remote compromise.
Microsoft’s Windows 11 cumulative updates, including KB5089549 and KB5087420, delivered many of the security fixes alongside reliability and usability improvements, and Microsoft said it was not aware of new issues with the release. Coverage and advisories also showed the breadth of the month’s attack surface, with additional fixes for SharePoint Server remote code execution, Office Click-to-Run privilege escalation, Hyper-V guest-to-host escalation, Teams spoofing, Outlook for iOS tampering, and several Copilot and Visual Studio Code vulnerabilities. Security researchers said the growing volume of Microsoft disclosures may reflect increased AI-assisted vulnerability discovery, while defenders were urged to prioritize patching domain controllers, DNS-exposed Windows systems, Office deployments, and internet-facing enterprise applications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
33 events from the most recent confirmed update back to the earliest known activity.
Microsoft publishes CVE-2026-42534 for Jostle logic bypass issue
On 2026-05-21, Microsoft published Security Update Guide entry CVE-2026-42534, described as a Jostle logic bypass vulnerability that degrades resolution performance. This is a newly documented Microsoft flaw not previously captured in the timeline.
Microsoft publishes CVE-2026-42827 for M365 Copilot information disclosure
On 2026-05-21, Microsoft published Security Update Guide entry CVE-2026-42827, an information disclosure vulnerability affecting M365 Copilot. This appears to be a newly documented Microsoft flaw not previously identified in the existing timeline.
Microsoft discloses CVE-2026-42834 in Windows Admin Center in Azure Portal
On 2026-05-19, Microsoft published Security Update Guide entry CVE-2026-42834, an elevation-of-privilege vulnerability affecting Windows Admin Center in Azure Portal. This added a specific newly documented Microsoft flaw not previously called out in the existing timeline.
Microsoft discloses Windows Event Logging Service EoP flaw CVE-2026-33834
On 2026-05-12, Microsoft published CVE-2026-33834, an Important elevation-of-privilege vulnerability in the Windows Event Logging Service caused by improper access control. The local flaw could let a low-privileged authorized attacker gain SYSTEM privileges without user interaction; Microsoft said a fix was available, exploitation was considered less likely, and the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Office RCE flaw CVE-2026-40363
On 2026-05-12, Microsoft published CVE-2026-40363, a Critical Microsoft Office remote code execution vulnerability caused by a heap-based buffer overflow. Microsoft said the flaw can be exploited via a local attack vector and that the Preview Pane is an attack vector; a fix was available and the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Win32k EoP flaw CVE-2026-33839
On 2026-05-12, Microsoft published CVE-2026-33839, an Important elevation-of-privilege vulnerability in Windows Win32K - GRFX caused by a race condition. The local flaw could allow an authorized low-privileged attacker to obtain SYSTEM privileges without user interaction if they win the race condition; Microsoft said a fix was available and that the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Win32k EoP flaw CVE-2026-34333
On 2026-05-12, Microsoft published CVE-2026-34333, an Important elevation-of-privilege vulnerability in Windows Win32K-GRFX caused by use-after-free and integer overflow or wraparound conditions. The local flaw could let a low-privileged authorized attacker gain SYSTEM privileges without user interaction; Microsoft said a fix was available and that the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Win32k EoP flaw CVE-2026-34330
On 2026-05-12, Microsoft published CVE-2026-34330, an Important elevation-of-privilege vulnerability in Windows Win32K - GRFX caused by integer overflow or wraparound and use-after-free conditions. The local flaw could let a low-privileged authorized attacker gain SYSTEM privileges; Microsoft said a fix was available and that the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses WinSock driver EoP flaw CVE-2026-41088
On 2026-05-12, Microsoft published CVE-2026-41088, an Important elevation-of-privilege vulnerability in the Windows Ancillary Function Driver for WinSock caused by external control of a file name or path. The local flaw could let a low-privileged authorized attacker gain SYSTEM privileges without user interaction; Microsoft said a fix was available and that the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Windows CLFS Driver EoP flaw CVE-2026-40397
On 2026-05-12, Microsoft published CVE-2026-40397, an Important elevation-of-privilege vulnerability in the Windows Common Log File System Driver caused by an integer underflow. The local flaw could let a low-privileged attacker gain SYSTEM privileges without user interaction; Microsoft said a fix was available, exploitation was considered more likely, and the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses PowerPoint spoofing flaw CVE-2026-41102
On 2026-05-12, Microsoft published CVE-2026-41102, an Important spoofing vulnerability affecting Microsoft PowerPoint for Android and Microsoft Office PowerPoint caused by improper access control. Microsoft said the local flaw could be exploited by a low-privileged authorized attacker without user interaction, that a fix was available, and that the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Copilot for Android spoofing flaw CVE-2026-41100
On 2026-05-12, Microsoft published CVE-2026-41100, an Important spoofing vulnerability affecting Microsoft 365 Copilot for Android caused by improper access control. Microsoft said the local flaw could be exploited by a low-privileged authorized attacker without user interaction, that a fix was available, and that the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Windows TCP/IP EoP flaw CVE-2026-34334
On 2026-05-12, Microsoft published CVE-2026-34334, an Important elevation-of-privilege vulnerability in Windows TCP/IP caused by a race condition. The local flaw could allow a low-privileged authorized attacker to gain SYSTEM privileges without user interaction; Microsoft said a fix was available and that the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Windows Cloud Files Mini Filter Driver EoP flaw CVE-2026-33835
On 2026-05-12, Microsoft published CVE-2026-33835, an Important elevation-of-privilege vulnerability in the Windows Cloud Files Mini Filter Driver caused by a use-after-free flaw. The local bug could let a low-privileged attacker gain SYSTEM privileges without user interaction; Microsoft said a fix was available, exploitation was considered more likely, and the flaw was neither publicly disclosed nor exploited at release.
Microsoft discloses Excel information disclosure flaw CVE-2026-40360
On 2026-05-12, Microsoft published CVE-2026-40360, an Important Microsoft Excel information disclosure vulnerability caused by an out-of-bounds read. The flaw can let an unauthorized attacker read small portions of heap memory if a user opens a malicious Office file; Microsoft said the Preview Pane is not an attack vector, a fix was available, and the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Windows Kernel EoP flaw CVE-2026-40369
On 2026-05-12, Microsoft published CVE-2026-40369, an Important Windows Kernel elevation-of-privilege vulnerability caused by an untrusted pointer dereference. The local flaw could let a low-privileged attacker gain limited SYSTEM privileges without user interaction; Microsoft said a fix was available, exploitation was considered more likely, and the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Windows Kernel EoP flaw CVE-2026-35420
On 2026-05-12, Microsoft published CVE-2026-35420, an Important Windows Kernel elevation-of-privilege vulnerability caused by a heap-based buffer overflow. The local flaw could let a low-privileged attacker gain SYSTEM privileges without user interaction; Microsoft said a fix was available and that the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Windows Kernel EoP flaw CVE-2026-33841
On 2026-05-12, Microsoft published CVE-2026-33841, an Important Windows Kernel elevation-of-privilege vulnerability caused by a heap-based buffer overflow. The local flaw could let a low-privileged attacker escape a low-integrity sandbox and elevate to Medium or High Integrity Level; Microsoft said a fix was available and that the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Windows Telephony Service EoP flaw CVE-2026-34338
On 2026-05-12, Microsoft published CVE-2026-34338, an Important elevation-of-privilege vulnerability in Windows Telephony Service caused by a use-after-free flaw. The local bug could let a low-privileged attacker gain SYSTEM privileges without user interaction; Microsoft said a fix was available and that the flaw was neither publicly disclosed nor exploited at release.
Microsoft discloses Windows Telephony Service EoP flaw CVE-2026-40382
On 2026-05-12, Microsoft published CVE-2026-40382, an Important elevation-of-privilege vulnerability in Windows Telephony Service caused by a use-after-free flaw. The local bug could let a low-privileged attacker gain SYSTEM privileges without user interaction; Microsoft said it was neither publicly disclosed nor exploited at release and assessed exploitation as less likely.
Microsoft discloses Windows Rich Text Edit EoP flaw CVE-2026-32170
On 2026-05-12, Microsoft published CVE-2026-32170, an Important elevation-of-privilege vulnerability in the Windows Rich Text Edit Control caused by a double-free weakness. Microsoft said exploitation requires local access, low privileges, user interaction, and winning a race condition; a fix was available and the flaw was neither publicly disclosed nor exploited at release.
Microsoft discloses Dynamics 365 Business Central EoP flaw CVE-2026-40417
On 2026-05-12, Microsoft published CVE-2026-40417, an Important elevation-of-privilege vulnerability in Microsoft Dynamics 365 Business Central caused by weak authentication. The local flaw could allow a low-privileged authorized attacker to gain SYSTEM privileges without user interaction; Microsoft said a fix was available and that the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Azure ML Notebook spoofing flaw CVE-2026-33833
On 2026-05-12, Microsoft published CVE-2026-33833, an Important spoofing vulnerability affecting Azure Machine Learning notebooks. The network-exploitable flaw could be triggered if a user opens or views a malicious notebook in the Azure ML web interface, potentially exposing sensitive information; Microsoft said a fix was available and that the bug was neither publicly disclosed nor exploited at release.
Microsoft discloses Office Click-To-Run EoP flaw CVE-2026-40418
On 2026-05-12, Microsoft published CVE-2026-40418, an Important elevation-of-privilege vulnerability in Microsoft Office Click-To-Run caused by a use-after-free flaw. The local bug could let a low-privileged authorized attacker gain SYSTEM privileges without user interaction; Microsoft said a fix was available and that the flaw was neither publicly disclosed nor exploited at release.
Microsoft discloses Office Click-To-Run EoP flaw CVE-2026-35436
On 2026-05-12, Microsoft published CVE-2026-35436, an Important elevation-of-privilege vulnerability in Microsoft Office Click-To-Run caused by insufficient access control granularity. The local flaw could let a low-privileged authorized attacker gain SYSTEM privileges; Microsoft said a fix was available and that the bug was neither publicly disclosed nor exploited at release.
Talos releases Snort coverage for May 2026 Microsoft vulnerabilities
On 2026-05-12, Cisco Talos published analysis of Microsoft's May 2026 Patch Tuesday and released Snort 2 and Snort 3 rules to help detect exploitation attempts against some of the disclosed vulnerabilities. Talos highlighted numerous critical remote code execution issues and several elevation-of-privilege flaws considered more likely to be exploited.
Microsoft publishes May 2026 Windows 11 cumulative updates
On 2026-05-12, Microsoft released Windows 11 cumulative updates KB5089549 for versions 25H2/24H2 and KB5087420 for version 23H2. The mandatory updates included security fixes tied to the May Patch Tuesday release and additional reliability, usability, and performance improvements across core Windows components.
Microsoft fixes critical enterprise flaws in Dynamics 365, Azure, Netlogon and DNS
The 2026-05-12 Patch Tuesday also remediated several especially dangerous enterprise vulnerabilities, including Dynamics 365 On-Premises RCE CVE-2026-42898, Azure Logic Apps EoP CVE-2026-42823, Azure Managed Instance for Apache Cassandra RCE CVE-2026-33109, Windows Netlogon RCE CVE-2026-41089, and Windows DNS Client RCE CVE-2026-41096. Researchers warned these bugs could enable broad compromise of enterprise environments and domain controllers if left unpatched.
Microsoft patches high-risk Word Preview Pane RCE flaws
As part of the 2026-05-12 release, Microsoft fixed Microsoft Word remote code execution vulnerabilities including CVE-2026-40361 and CVE-2026-40364 that can be triggered through the Preview Pane by sending a malicious document, requiring no file opening by the victim. Coverage highlighted these flaws as among the most urgent issues in the release.
Microsoft issues May 2026 Patch Tuesday covering 137 vulnerabilities
On 2026-05-12, Microsoft released its May 2026 Patch Tuesday updates, fixing 137 vulnerabilities across Windows, Office, Azure, Dynamics 365, SharePoint, Copilot, and other products. Multiple reports noted this was the first Patch Tuesday in nearly two years with no actively exploited zero-days or previously disclosed flaws at release time.
Microsoft discloses Dynamics 365 Customer Insights EoP flaw CVE-2026-33821
On 2026-05-07, Microsoft published Security Update Guide entry CVE-2026-33821, an elevation-of-privilege vulnerability affecting Microsoft Dynamics 365 Customer Insights. This is a newly documented Microsoft flaw not previously captured in the timeline.
Microsoft discloses M365 Copilot info disclosure flaw CVE-2026-26129
On 2026-05-07, Microsoft published CVE-2026-26129, a Critical information disclosure vulnerability affecting M365 Copilot caused by improper neutralization of special elements. Microsoft said the network-exploitable issue was fully mitigated with no customer action required and was neither publicly disclosed nor exploited at publication.
Microsoft releases April 2026 Patch Tuesday with one exploited SharePoint flaw
On 2026-04-14, Microsoft's April 2026 Patch Tuesday addressed 165 vulnerabilities, including eight rated critical. Microsoft disclosed that SharePoint spoofing flaw CVE-2026-32201 had already been exploited in the wild, and Talos published Snort detection rules for the release.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
CVE-2026-42827 - Security Update Guide - Microsoft - M365 Copilot Information Disclosure Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-42534 - Security Update Guide - Microsoft - Jostle logic bypass degrades resolution performance
msrc.microsoft.com
Open sourceCVE-2026-42834 - Security Update Guide - Microsoft - Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-35433: CVE-2026-35433: Heap-Based Buffer Overflow and Privilege Escalation in .NET Desktop Runtime | CVEReports
cvereports.com
Open sourceCVE-2026-42831 - Security Update Guide - Microsoft - Microsoft Office Remote Code Execution Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-40420 - Security Update Guide - Microsoft - Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
msrc.microsoft.com
Open sourceCVE-2026-35440 - Security Update Guide - Microsoft - Microsoft Word Information Disclosure Vulnerability
msrc.microsoft.com
Open sourceWindows 11 KB5089549 & KB5087420 cumulative updates released
bleepingcomputer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Microsoft fixes critical Windows DNS, Netlogon, SharePoint, and Dynamics flaws
Microsoft’s May 2026 Patch Tuesday resolved between **120 and 137 vulnerabilities** across Windows, Office, networking services, Hyper-V, SharePoint Server, and Microsoft Dynamics 365 on-premises, including **17 to 30 critical flaws**. Microsoft said the release contained **no publicly disclosed or actively exploited zero-days**, but multiple high-risk issues affected core enterprise infrastructure. Notable vulnerabilities included unauthenticated remote code execution in **Windows Netlogon** (`CVE-2026-41089`) and the **Windows DNS Client** (`CVE-2026-41096`), a **Hyper-V guest-to-host escape**, a SharePoint Server RCE (`CVE-2026-40365`), and a **Dynamics 365 on-premises** RCE (`CVE-2026-42898`) rated **CVSS 9.9**. The update also addressed Office and endpoint attack paths, including Microsoft Word flaws and `CVE-2026-35421`, which could allow code execution through malicious **EMF** files opened in Microsoft Paint via Windows GDI. Security researchers said organizations should prioritize patching **domain controllers**, **DNS-exposed Windows systems**, **on-premises collaboration platforms**, and **user endpoints** because of their exposure and likely exploitability. Alongside the security fixes, Microsoft issued mandatory Windows 11 cumulative updates **KB5089549** and **KB5087420** for versions **25H2, 24H2, and 23H2**, adding platform changes such as File Explorer, accessibility, storage, printing, and secure batch file processing improvements.
May 25, 2026
Microsoft Patches 163 Flaws Including Exploited SharePoint Bug and Defender Zero-Day
Microsoft released fixes for **163 vulnerabilities** in its April Patch Tuesday update, marking one of its largest security releases on record. The bundle includes **8 Critical** flaws, **154 Important** issues, and **1 Moderate** bug, with seven of the Critical vulnerabilities enabling remote code execution across products and components including **Windows TCP/IP**, **Windows IKE Service Extensions**, **Active Directory**, **Remote Desktop Client**, **Microsoft Office**, and **Microsoft Word**. Belgian authorities urged organizations to apply the updates immediately. The most urgent issues include **`CVE-2026-32201`**, an actively exploited **Microsoft SharePoint Server** vulnerability that was added to CISA’s Known Exploited Vulnerabilities catalog, and **`CVE-2026-33825`** in **Microsoft Defender**, a publicly disclosed zero-day tied to proof-of-concept code associated with the **BlueHammer** exploit. Microsoft also shipped Windows 11 cumulative updates with security hardening changes, including safer handling of **`.rdp`** files and improved visibility into **Secure Boot** certificates, while the broader patch set addressed numerous elevation-of-privilege and security feature bypass flaws that could support post-compromise escalation.
Apr 22, 2026
Microsoft Fixes 137 Flaws Led by Netlogon, DNS Client, and Dynamics 365 RCEs
Microsoft released fixes for **137 vulnerabilities** across Windows, Azure, Microsoft 365, developer tools, and AI-related products, with no zero-days reported as exploited in the wild. The most urgent issues included a **wormable pre-auth remote code execution** flaw in **Windows Netlogon** (`CVE-2026-41089`), an **unauthenticated RCE** in the **Windows DNS Client** (`CVE-2026-41096`) that can be triggered through crafted DNS responses, and a **remote code execution** bug in **Microsoft Dynamics 365 on-premises** (`CVE-2026-42898`). Microsoft also patched an authenticated **SharePoint Server RCE** (`CVE-2026-40365`), multiple Microsoft Word Preview Pane RCEs, and a critical authentication bypass in the Microsoft SSO Plugin for Jira & Confluence (`CVE-2026-41103`). The release was notable for its severity, with reports citing **16 to 30 critical vulnerabilities** depending on classification, and **14 flaws scoring 9.0 or higher**, including an **Azure DevOps information disclosure** issue rated `CVSS 10.0` that Microsoft said had already been fully mitigated. Elevation-of-privilege bugs made up the largest share of fixes, spanning the Windows kernel, Win32k, TCP/IP, SMB Client, Print Spooler, and other core components; two locally exploitable issues, including **Windows Print Spooler** (`CVE-2026-34342`) and **Windows Message Queueing** (`CVE-2026-33838`), were publicly disclosed alongside patches. Microsoft said its AI-driven bug-finding system **MDASH** identified 16 of the vulnerabilities, and it separately warned enterprises to complete **Secure Boot certificate** updates before June 26, 2026, while noting a BitLocker Recovery issue on some Windows Server 2025 systems with an unrecommended Group Policy setting.
May 14, 2026