Microsoft's May 2026 Patch Tuesday addresses 137 vulnerabilities spanning Azure, Windows, Dynamics 365, and the SSO Plugin for Jira & Confluence. The most critical is CVE-2026-41103, an elevation of privilege vulnerability in the SSO Plugin caused by improper authentication algorithm implementation. Multiple high-severity privilege escalation flaws affect Windows Remote Desktop, kernel components, and Azure services. Two high-severity remote code execution vulnerabilities in Microsoft Word (CVE-2026-40364 and CVE-2026-40361) involve type confusion and use-after-free bugs, exploitable by sending malicious documents, even via Preview Pane without opening. Additional fixes cover critical bugs in Dynamics 365 on-premises, Azure Logic Apps, Windows DNS, Netlogon, Hyper-V, and other Windows and Azure components. Microsoft has not reported any active exploitation of these vulnerabilities but notes some have a higher likelihood of exploitation.

The vulnerabilities include critical elevation of privilege and remote code execution flaws that could allow attackers to gain unauthorized access or execute arbitrary code. The Microsoft Word vulnerabilities could be exploited by sending malicious documents that trigger code execution upon previewing. High-severity privilege escalation bugs in core Windows components and Azure services could enable attackers to elevate privileges and compromise affected systems. No active exploitation has been reported, but some vulnerabilities have an increased likelihood of being exploited in the near future.

Microsoft has released official patches addressing all 137 vulnerabilities. Applying these security updates is the most reliable mitigation to protect affected systems. Since this is a traditional software product update (not a cloud service), organizations must deploy the patches promptly. There is no indication from Microsoft that any vulnerabilities are already mitigated or require no action. Monitoring vendor advisories for further updates is recommended.