Microsoft’s Might updates patch 120 safety flaws in Home windows and Workplace
Abstract created by Sensible Solutions AI
In abstract:
- Microsoft launched its Might Patch Tuesday replace addressing 120 safety vulnerabilities throughout Home windows and Workplace, with 30 categorised as essential together with harmful distant code execution flaws.
- PCWorld studies that Workplace acquired fixes for 27 vulnerabilities, almost double April’s rely, with 4 essential Phrase flaws exploitable via preview panes with out opening information.
- Vital Home windows vulnerabilities in DNS consumer and Netlogon companies require instant patching, although Microsoft states none are at the moment exploited within the wild.
Yesterday was Might’s Patch Tuesday, that means Microsoft launched new updates that addressed 120 safety vulnerabilities. Along with Home windows and Workplace, Microsoft’s cloud companies have been additionally affected. To date, not one of the vulnerabilities are being exploited within the wild. Microsoft has categorised a complete of 30 safety vulnerabilities as essential, whereas the rest are all rated as excessive danger.
It’s an unusually excessive variety of mounted flaws for a Patch Tuesday. It might be defined by the truth that the Pwn2Own hacking competitors begins in Berlin on Might 14th, motivating Microsoft to repair as a lot as they’ll to keep away from any undesirable destructive consideration.
The following Patch Tuesday is scheduled for June ninth, 2026.
Home windows vulnerabilities mounted
A lot of the vulnerabilities—66 this time round—are unfold throughout the varied Home windows variations (10, 11, Server). Help for Home windows 10 led to October 2025, however customers enrolled within the Prolonged Safety Updates program proceed to obtain updates.
5 of the Home windows vulnerabilities addressed this month are distant code execution (RCE) vulnerabilities categorised as essential. CVE-2026-41096 within the DNS consumer is very problematic as a result of it runs on nearly each Home windows machine. To use the vulnerability, all you want is a malicious response to a DNS question—an attacker who controls a DNS server, for instance, can execute arbitrary code on any PC.
There’s additionally CVE-2026-41089 in Home windows Netlogon, by which an attacker can execute code on a website controller with out logging in by sending specifically crafted community requests.
Tip: Whether or not you retain your system updated, you want correct antivirus protections in order for you your PC to stay safe and personal. Try our picks for the perfect antivirus software program for Home windows in addition to greatest VPN companies to remain forward of safety issues.
Microsoft Workplace vulnerabilities mounted
Microsoft has mounted 27 vulnerabilities in its Workplace household of merchandise, slightly below twice as many as have been mounted in April.
These embody 15 RCE vulnerabilities, eight of which—4 in Phrase alone—are categorised as essential. In these instances, the preview pane itself is an assault vector. A consumer doesn’t even want to completely launch an contaminated file with Workplace to set off a profitable assault.
Microsoft additionally classifies an information leak in its Crew Occasions Portal (CVE-2026-33823) as essential, which the producer has already patched. Two knowledge leaks in Microsoft 365 Copilot (CVE-2026-26129 and CVE-2026-26164) are additionally thought-about essential.
Microsoft Edge vulnerabilities mounted
The newest safety replace for the Edge browser model 148.0.3967.54 is dated Might seventh and is predicated on Chromium 148.0.7778.97.
It addresses 127 Chromium-based safety vulnerabilities, which aren’t included within the whole variety of Patch Tuesday fixes talked about above. As well as, the replace fixes three Edge-specific vulnerabilities in addition to two vulnerabilities in Edge for Android.
This text initially appeared on our sister publication PC-WELT and was translated and localized from German.
