InfoSecBulletin Cybersecurity for mankind
Microsoft’s May 2026 Patch Tuesday brings many updates for businesses. It fixes 120 security flaws in Windows, Office, Azure, developer tools, and Microsoft 365 apps. Among these, 29 critical flaws let attackers run code from far away.
Microsoft says there are no zero-days used in attacks or announced before this release, which is different from past cycles. However, the wide range of areas that could be attacked, like DNS, Netlogon, Office, and Wi-Fi drivers, means that those defending systems should not see this month as low risk.
LastPass says hackers stole customer data via Klue, supply chain breach
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
| Vulnerability Type | Count |
|---|---|
| Elevation of Privilege | 61 |
| Security Feature Bypass | 6 |
| Remote Code Execution (RCE) | 31 |
| Information Disclosure | 14 |
| Denial of Service (DoS) | 8 |
| Spoofing | 13 |
Multiple Remote Code Execution Vulnerabilities
This month has no zero-day bugs being used, but the biggest flaws are with network and document-related RCE vulnerabilities that could lead to total control if not fixed.
High‑value targets include Microsoft Dynamics 365 on‑premises (CVE‑2026‑42898, CVE‑2026‑42833), multiple Microsoft Office and Word RCEs (for example CVE‑2026‑42831, CVE‑2026‑40363, CVE‑2026‑40358, several Word‑specific CVEs), Windows DNS Client (CVE‑2026‑41096), Netlogon (CVE‑2026‑41089), Windows Graphics/Win32k (CVE‑2026‑40403), Windows GDI (CVE‑2026‑35421), Windows Native Wi‑Fi Miniport (CVE‑2026‑32161), and Microsoft SharePoint Server (CVE‑2026‑40365 and related CVEs).
Many of these are in parts that often face untrusted content, network traffic, Office documents, or web-like processes. This makes them likely targets for phishing and other attacks.
Windows Core Networking, Kernel, and Virtualization Flaws
Many flaws affect Windows networking and kernel parts, increasing risks for systems connected to domains and the internet.
Windows DNS Client RCE (CVE‑2026‑41096) and Netlogon RCE (CVE‑2026‑41089) are important issues: attackers with low access or no access could run code in critical areas of Windows authentication and name resolution. This is similar to the effects of past bugs like SigRed and Zerologon.
Windows Hyper-V (CVE-2026-40402, rated Critical) gets a fix for privilege escalation. This is very important for shared and private cloud systems. A guest could escape to host and cause big problems.
Copilot, VS Code, and Azure Flaws
This Patch Tuesday shows how much AI and cloud-based development are part of business security risks.
Microsoft fixes problems with fake identities and security gaps in M365 Copilot for Desktop and Android, GitHub Copilot with Visual Studio, and Azure Machine Learning notebooks. These issues raise worries about tricking users, stealing data, or adding harmful content through trusted AI tools.
Organizations that have a lot of virtual work should plan times for Hyper-V updates. Those using Copilot, Teams, and Azure should not forget about fixes for AI and workflows, even if they are marked as Important.
