Microsoft’s May 2026 Patch Tuesday release includes 137 Microsoft CVEs and 128 republished non-Microsoft vulnerabilities, creating a broad patching workload for IT teams.
While Microsoft has not confirmed active exploitation in the wild this month, several critical vulnerabilities and 13 issues marked “Exploitation More Likely” raise the risk of near-term attacks.
For organizations managing distributed endpoints, cloud-connected services, remote access components, and collaboration platforms, this month’s update calls for fast validation and risk-based patch prioritization.
Microsoft Patch Breakdown for May 2026
This month’s Patch Tuesday release spans cloud infrastructure, collaboration platforms, Windows networking components, developer tooling, and enterprise identity systems. The main theme is the concentration of vulnerabilities in cloud-connected enterprise environments and in critical Windows infrastructure.
Key areas affected include:
Area | Affected Products and Components |
Windows infrastructure and networking | Netlogon, DNS, Hyper-V, TCP/IP, Remote Desktop, WinSock, Windows Kernel |
Microsoft 365 collaboration workloads | Teams, SharePoint, Office Word, Excel, PowerPoint, Copilot-related services |
Azure services | Azure DevOps, Azure Logic Apps, Azure Cloud Shell, Azure SDK, Azure Machine Learning, Azure Entra ID |
Identity and authentication | Microsoft SSO Plugin for Jira & Confluence, Windows authentication services |
Developer and admin tooling | SQL Server, ASP.NET Core, Visual Studio Code, GitHub Copilot, Windows Admin Center |
For IT teams, the risk is not limited to a single product family. That makes prioritization especially important, since organizations need to account for both traditional Windows patching and exposure across cloud-connected services.
The most urgent review should focus on systems that support authentication, networking, remote access, and cloud administration. These components often have broad enterprise reach, making them higher-impact targets if attackers develop reliable exploits after disclosure.
Zero-Day and Exploitation More Likely Vulnerabilities
Microsoft has not confirmed any vulnerabilities that are actively exploited in the wild in this month’s Patch Tuesday release. However, May 2026 still includes several vulnerabilities that require urgent attention, as Microsoft has marked them as “Exploitation More Likely.”
That designation means Microsoft considers these vulnerabilities more likely to be exploited after disclosure. This month, 13 vulnerabilities fall into that category:
CVE | Affected Component |
CVE-2026-33835 | Windows Cloud Files Mini Filter Driver |
CVE-2026-33837 | Windows TCP/IP |
CVE-2026-33840 | Windows Win32K - ICOMP |
CVE-2026-35417 | Windows Win32K - ICOMP |
CVE-2026-33841 | Windows Kernel |
CVE-2026-40369 | Windows Kernel |
CVE-2026-35416 | Windows Ancillary Function Driver for WinSock |
CVE-2026-35435 | Azure AI Foundry M365 published agents |
CVE-2026-40361 | Microsoft Office Word |
CVE-2026-40364 | Microsoft Office Word |
CVE-2026-40397 | Windows Common Log File System Driver |
CVE-2026-40398 | Windows Remote Desktop |
CVE-2026-41103 | Microsoft SSO Plugin for Jira & Confluence |
Even without confirmed exploitation, they should move toward the top of the patching queue because they represent a higher risk of near-term weaponization.
Critical Vulnerabilities in May 2026
Several vulnerabilities in the May 2026 release carry critical or near-critical severity ratings and affect enterprise-facing services across Azure, Windows infrastructure, identity systems, collaboration tools, and virtualization environments.
CVE | Affected Product or Component | CVSS | Why It Matters |
CVE-2026-42826 | Azure DevOps | 10.0 | A highest-severity vulnerability affecting developer workflows and cloud-connected development environments. |
CVE-2026-33109 | Azure Managed Instance for Apache Cassandra | 9.9 | A critical issue for organizations using managed cloud database infrastructure. |
CVE-2026-42823 | Azure Logic Apps | 9.9 | Affects cloud automation and workflow orchestration, which can be deeply connected to business-critical systems. |
CVE-2026-41089 | Windows Netlogon | 9.8 | Impacts a core Windows authentication component used in domain environments. |
CVE-2026-41096 | Microsoft Windows DNS | 9.8 | Affects a foundational networking service used broadly across Windows environments. |
CVE-2026-33823 | Microsoft Teams | 9.6 | Relevant for organizations with broad Teams deployment across users and departments. |
CVE-2026-35428 | Azure Cloud Shell | 9.6 | Impacts cloud administration workflows used to manage Azure environments. |
CVE-2026-40379 | Azure Entra ID | 9.3 | Affects enterprise identity infrastructure, making it a high-priority review item. |
CVE-2026-40402 | Windows Hyper-V | 9.3 | Important for organizations using virtualization across servers, developer systems, or hosted workloads. |
These vulnerabilities deserve close attention because they affect systems with broad access, high business impact, or privileged administrative roles. Azure DevOps, Azure Logic Apps, Azure Cloud Shell, and Azure Entra ID should be reviewed quickly by teams managing cloud infrastructure and identity environments. Windows Netlogon, DNS, Hyper-V, TCP/IP, and Remote Desktop vulnerabilities should be prioritized across domain-connected systems, servers, and critical infrastructure.
Organizations should also review related risks across SQL Server, SharePoint, Office, ASP.NET Core, Windows networking services, and developer tooling. Even when a vulnerability is not confirmed as actively exploited, critical severity combined with enterprise exposure can create a narrow window for safe remediation.
How to Prioritize May 2026 Patches
With 137 Microsoft CVEs and a large set of republished non-Microsoft vulnerabilities, IT teams should take a risk-based approach rather than treating every update equally. The priority should be systems with high exposure, critical severity, identity or networking impact, and vulnerabilities Microsoft marked as “Exploitation More Likely.”
1. Patch Within 72 Hours
Organizations should prioritize vulnerabilities affecting critical infrastructure, cloud administration, identity services, and remote access workflows. This includes:
Azure DevOps, Azure Logic Apps, Azure Cloud Shell, and Azure SDK vulnerabilities
Windows Netlogon, DNS, Hyper-V, TCP/IP, and Remote Desktop vulnerabilities
Vulnerabilities marked “Exploitation More Likely”
Teams, SharePoint, Office, and collaboration-related vulnerabilities
Remote Desktop and Windows networking-related vulnerabilities
Internet-facing systems and broadly accessible services
Domain controllers, DNS infrastructure, identity systems, and cloud admin environments
These systems should move through validation and deployment as quickly as possible because they can create higher-impact exposure across enterprise environments.
2. Patch Within 1 to 2 Weeks
After the highest-risk systems are addressed, organizations should patch systems with broad endpoint coverage or important operational impact. This includes:
SQL Server and ASP.NET Core vulnerabilities
Windows Kernel, WinSock, and file system-related components
Office Word, Excel, and PowerPoint vulnerabilities
Azure management, monitoring, and identity-related services
Developer and admin tooling, including GitHub Copilot, Visual Studio Code, and Windows Admin Center
These updates may not all require emergency deployment, but they should not be deferred for a full patch cycle if the affected products are widely used or connected to sensitive workflows.
3. Regular Patch Cycle
Lower-priority updates can follow standard deployment timelines when the affected systems have limited exposure, compensating controls, or narrower exploitation paths. This may include lower-severity Windows service issues, vulnerabilities requiring local access, or systems that are not internet-facing or broadly accessible.
Even lower-priority patches should still be tracked through completion. May’s release affects a wide range of endpoint, cloud, identity, and developer environments, so delayed patching can create blind spots if teams do not maintain visibility across their full software and system inventory.
Notable Third-Party Updates
Microsoft also republished 128 non-Microsoft CVEs this month, adding another layer of patching work beyond the core Microsoft vulnerabilities. These republished issues include Chromium-based Microsoft Edge vulnerabilities, Node.js-related issues, Git for Windows vulnerabilities, and other third-party dependency updates.
For most organizations, the priority should be reviewing exposure across commonly used browsers, developer tools, and open-source components. Browser vulnerabilities are especially important because they can affect a wide user base, while developer dependencies can introduce risk into build systems, admin workflows, and cloud-connected environments.
IT teams should focus on:
Browser exposure, especially Microsoft Edge
Developer tools and dependencies
Git for Windows deployments
Node.js-related components
Cloud-connected third-party integrations
Systems using Chromium-based or open-source components
This month’s release reinforces why third-party patching should be part of the same vulnerability-management workflow as operating-system updates. Even when Microsoft CVEs get the most attention on Patch Tuesday, browsers, developer tools, and software dependencies can create meaningful exposure if they are patched separately, tracked manually, or excluded from routine endpoint management.
How Splashtop AEM Can Help
May’s Patch Tuesday release gives IT teams a lot to triage. Splashtop AEM helps teams move faster from exposure to remediation.
Identify Risk Quickly: Get centralized visibility into endpoint vulnerabilities, patch status, hardware, and software inventory, so teams can see which devices need attention first.
Prioritize Critical Updates: Use CVE insights and endpoint-level context to focus on high-risk issues, including critical vulnerabilities and those marked “Exploitation More Likely.”
Patch Faster: Deploy updates in real time, automate patch policies, monitor success or failure, and reduce the manual work required to keep distributed endpoints secure.
Strengthen Existing Workflows: Splashtop AEM helps teams that patch manually, use Microsoft Intune, or rely on an RMM by adding faster remediation, better visibility, and streamlined endpoint management.
When Patch Tuesday affects critical services, speed and visibility matter. Splashtop AEM gives IT teams the tools to respond quickly and keep endpoints protected.
Try Splashtop AEM Free
Patch Tuesday releases like May 2026 give IT teams a narrow window to identify risk, deploy updates, and confirm remediation across every endpoint.
With Splashtop AEM, you can:
Detect vulnerable endpoints
Prioritize critical CVEs
Automate patch deployment
Monitor patch success and failure
Strengthen security across distributed environments
Start a free trial of Splashtop AEM to gain real-time patching, CVE visibility, automation, and endpoint management tools that help your team respond faster when critical vulnerabilities are disclosed.
