Skip to Content
Get started
Open search

May’s Patch Tuesday hauls out 132 CVEs

With advisories, this month’s count approaches 300 – though many are already in place
Author placeholder

Written by Angela Gunn

Illustration with many sea lions barking
Threat ResearchX-opsPatch TuesdayMICROSOFT PATCH TUESDAY

In another banner month for the AI-finder era, Microsoft on Tuesday released 132 patches affecting 20 product families. Twenty-nine of the addressed issues are considered by Microsoft to be of Critical severity, and 13 issues are expected to be exploited within the next 30 days. Forty-three have a CVSS base score of 8.0 or higher, including one with a “perfect” 10.0. Fourteen CVEs, including the 10.0 item mentioned above, were patched by Microsoft in advance of Patch Tuesday. Incredibly, none were publicly disclosed as of release day and none are known to be under active exploit in the wild. 

For the second month in a row, the release includes massive set of advisories – 145 of them. As ever, the majority are Edge-related, assigned by Chrome, and patched days in advance of Patch Tuesday. One comes from AMD and was likewise already addressed. Thirteen, all affecting Adobe Commerce, were issued by Adobe.

Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in the usual table below. We are as always including at the end of this post appendices listing all Microsoft’s patches sorted by severity (Appendix A), by predicted exploitability timeline and CVSS Base score (Appendix B), and by product family (Appendix C). Appendix D lists this month’s advisories. Appendix E provides a breakout of 66 CVEs affecting various versions of Windows Server, including the advisory from AMD that is otherwise not counted in the patch totals for the month. Our analysis of CWE (Common Weakness Enumeration) information made available for this month’s patches appears in Appendix F.

By the numbers

  • Total CVEs: 132
  • Publicly disclosed: 0
  • Exploit detected: 0
  • Severity
    • Critical: 29
    • Important: 103
  • Impact:
    • Denial of Service: 8
    • Elevation of Privilege: 59
    • Information Disclosure: 14
    • Remote Code Execution: 31
    • Security Feature Bypass: 6
    • Spoofing: 11
    • Tampering: 3
  • CVSS base score 9.0 or greater: 14
  • CVSS base score 8.0 or greater: 43

 

pt2605-figure01.png

Figure 1: Elevation of Privilege issues once again account for the majority of the month’s CVEs, but nearly half of the Remote Control Execution CVEs are Critical-severity.

Products

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. We note, by the way, that CVE names don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa. 

 

pt2605-figure02.png

Figure 2: A hefty 20 families are covered in May’s Patch Tuesday release. The Critical-severity issue called “Confluence / Jira” covers an SSO plug-in for those tools, as described below.

pt2605-figure03.png

Figure 3: The count of Elevation of Privilege CVEs passes 250, and Spoofing and Security Feature Bypass swap spots on the cumulative list of 2026 vulnerabilities. By way of comparison, as of this time last year Microsoft had addressed 470 CVEs.

Notable May updates

In addition to the issues discussed above, a few specific items merit attention. 

CVE-2026-41103 -- Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability

There are 14 CVEs with a CVSS Base score of 9.0 or higher this month (with 11 of those also marked as Critical-severity), but the only one Microsoft thinks is more likely to be exploited in the next 30 days is this Critical-severity Elevation of Privilege issue, which involves an incorrect implementation of an authentication algorithm (CWE-303) – not far-fetched, since this involves SSO. The bug would permit an attacker to bypass authentication and sign in as a valid user. The specifically affected plug-ins are the Microsoft Confluence SAML SSO plugin and the Microsoft JIRA SAML SSO plugin.

CVE-2026-41089 -- Windows Netlogon Remote Code Execution Vulnerability
CVE-2026-41096 -- Windows DNS Client Remote Code Execution Vulnerability

Also in the over-9.0 CVSS Club with matching base scores of 9.8, these two CVEs both allow exploitation even by an unauthorized attacker.

CVE-2026-40358 -- Microsoft Office Remote Code Execution Vulnerability
CVE-2026-40361 -- Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40363 -- Microsoft Office Remote Code Execution Vulnerability
CVE-2026-40364 -- Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40366 -- Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40367 – Microsoft Word Remote Code Execution Vulnerability

All six of these Remote Code Execution vulnerabilities can be exploited via Preview Pane. Of the six, CVE-2026-40361 and CVE-2026-40364 are thought by Microsoft to be more likely to be exploited within the first 30 days post-release.

CVE-2026-35432 -- Windows 11 Telnet Client Information Disclosure Vulnerability

Telnet. That is all. Yes, it’s still 2026.


Sophos protections

CVESophos Intercept X/Endpoint IPS

Sophos XGS Firewall

CVE-2026-33835Exp/2633835-AExp/2633835-A
CVE-2026-33837Exp/2633837-AExp/2633837-A
CVE-2026-33840Exp/2633840-AExp/2633840-A
CVE-2026-33841Exp/2633841-AExp/2633841-A
CVE-2026-35416Exp/2635416-AExp/2635416-A
CVE-2026-35417Exp/2635417-AExp/2635417-A
CVE-2026-40361sid:2312491, sid:2312492sid:2312491, sid:2312492
CVE-2026-40364sid:2312493, sid:2312494sid:2312493, sid:2312494
CVE-2026-40369Exp/2640369-AExp/2640369-A
CVE-2026-40397Exp/2640397-AExp/2640397-A
CVE-2026-40398Exp/2640398-AExp/2640398-A
CVE-2026-41089sid:2312495sid:2312495
CVE-2026-41103sid:2312499sid:2312499

 

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of May patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE. 

Elevation of Privilege (59 CVEs)

Critical severity
CVE-2026-33821Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability
CVE-2026-35435Azure AI Foundry Elevation of Privilege Vulnerability
CVE-2026-40402Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2026-41103Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability
CVE-2026-41105Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability
Important severity
CVE-2026-21530Windows Rich Text Edit Elevation of Privilege Vulnerability
CVE-2026-32170Windows Rich Text Edit Elevation of Privilege Vulnerability
CVE-2026-32177.NET Elevation of Privilege Vulnerability
CVE-2026-32204Azure Monitor Agent Elevation of Privilege Vulnerability
CVE-2026-33834Windows Event Logging Service Elevation of Privilege Vulnerability
CVE-2026-33835Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-33837Windows TCP/IP Local Elevation of Privilege Vulnerability
CVE-2026-33838Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability
CVE-2026-33839Win32k Elevation of Privilege Vulnerability
CVE-2026-33840Win32k Elevation of Privilege Vulnerability
CVE-2026-33841Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-34330Win32k Elevation of Privilege Vulnerability
CVE-2026-34331Win32k Elevation of Privilege Vulnerability
CVE-2026-34333Windows Win32k Elevation of Privilege Vulnerability
CVE-2026-34334Windows TCP/IP Elevation of Privilege Vulnerability
CVE-2026-34337Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-34338Windows Telephony Service Elevation of Privilege Vulnerability
CVE-2026-34340Windows Projected File System Elevation of Privilege Vulnerability
CVE-2026-34341Windows Link-Layer Discovery Protocol (LLDP) Elevation of Privilege Vulnerability
CVE-2026-34342Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2026-34343Windows Application Identity (AppID) Subsystem Elevation of Privilege Vulnerability
CVE-2026-34344Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-34345Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-34347Windows Win32k Elevation of Privilege Vulnerability
CVE-2026-34351Windows TCP/IP Elevation of Privilege Vulnerability
CVE-2026-35415Windows Storage Spaces Controller Elevation of Privilege Vulnerability
CVE-2026-35416Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-35417Windows Win32k Elevation of Privilege Vulnerability
CVE-2026-35418Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-35420Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-35433.NET Elevation of Privilege Vulnerability
CVE-2026-35436Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-35438Windows Admin Center Elevation of Privilege Vulnerability
CVE-2026-40369Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-40377Microsoft Cryptographic Services Elevation of Privilege Vulnerability
CVE-2026-40381Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2026-40382Windows Telephony Service Elevation of Privilege Vulnerability
CVE-2026-40397Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2026-40398Windows Remote Desktop Services Elevation of Privilege Vulnerability
CVE-2026-40399Windows TCP/IP Elevation of Privilege Vulnerability
CVE-2026-40407Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2026-40408Windows WAN ARP Driver Elevation of Privilege Vulnerability
CVE-2026-40410Windows SMB Client Elevation of Privilege Vulnerability
CVE-2026-40417Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
CVE-2026-40418Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-40419Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-41086Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability
CVE-2026-41088Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-41095Windows Projected File System Elevation of Privilege Vulnerability
CVE-2026-41613Visual Studio Code Elevation of Privilege Vulnerability
CVE-2026-42823Azure Logic Apps Elevation of Privilege Vulnerability
CVE-2026-42825Windows Telephony Service Elevation of Privilege Vulnerability
CVE-2026-42830Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability
CVE-2026-42896Windows DWM Core Library Elevation of Privilege Vulnerability

 

Remote Code Execution (31 CVEs)

Critical severity
CVE-2026-32161Windows Native WiFi Miniport Driver Remote Code Execution Vulnerability
CVE-2026-33109Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability
CVE-2026-33844Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability
CVE-2026-35421Windows GDI Remote Code Execution Vulnerability
CVE-2026-40358Microsoft Office Remote Code Execution Vulnerability
CVE-2026-40361Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40363Microsoft Office Remote Code Execution Vulnerability
CVE-2026-40364Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40365Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-40367Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40403Windows Graphics Component Remote Code Execution Vulnerability
CVE-2026-41089Windows Netlogon Remote Code Execution Vulnerability
CVE-2026-41096Windows DNS Client Remote Code Execution Vulnerability
CVE-2026-42831Office for Android Remote Code Execution Vulnerability
CVE-2026-42898Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability
Important severity
CVE-2026-33110Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-33112Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-34329Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
CVE-2026-34332Windows Kernel-Mode Driver Remote Code Execution Vulnerability
CVE-2026-35439Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-40357Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-40359Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-40362Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-40366Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40368Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-40370SQL Server Remote Code Execution Vulnerability
CVE-2026-40380Windows Volume Manager Extension Driver Remote Code Execution Vulnerability
CVE-2026-40415Windows TCP/IP Remote Code Execution Vulnerability
CVE-2026-41094Microsoft Data Formulator Remote Code Execution Vulnerability
CVE-2026-41611Visual Studio Code Remote Code Execution Vulnerability
CVE-2026-42833Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

Information Disclosure (14 CVEs)

Critical severity
CVE-2026-26129M365 Copilot Information Disclosure Vulnerability
CVE-2026-26164M365 Copilot Information Disclosure Vulnerability
CVE-2026-33111Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability
CVE-2026-33823Microsoft Team Events Portal Information Disclosure Vulnerability
CVE-2026-42826Azure DevOps Information Disclosure Vulnerability
Important severity
CVE-2026-34336Windows DWM Core Library Information Disclosure  Vulnerability
CVE-2026-35419Windows DWM Core Library Information Disclosure  Vulnerability
CVE-2026-35423Windows 11 Telnet Client Information Disclosure Vulnerability
CVE-2026-35440Microsoft Word Information Disclosure Vulnerability
CVE-2026-40360Microsoft Excel Information Disclosure Vulnerability
CVE-2026-40374Microsoft Power Automate Desktop Information Disclosure Vulnerability
CVE-2026-40406Windows TCP/IP Information Disclosure Vulnerability
CVE-2026-40421Microsoft Word Information Disclosure Vulnerability
CVE-2026-41612Visual Studio Code Information Disclosure Vulnerability

Spoofing (11 CVEs)

Critical severity
CVE-2026-32207Azure Machine Learning Notebook Spoofing Vulnerability
CVE-2026-34327Microsoft Partner Center Spoofing Vulnerability
CVE-2026-35428Azure Cloud Shell Spoofing Vulnerability
CVE-2026-40379Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability
Important severity
CVE-2026-32185Microsoft Teams Spoofing Vulnerability
CVE-2026-33833Azure Machine Learning Notebook Spoofing Vulnerability
CVE-2026-41100Microsoft 365 Copilot for Android Spoofing Vulnerability
CVE-2026-41101Microsoft Word for Android Spoofing Vulnerability
CVE-2026-41102Microsoft PowerPoint for Android Spoofing Vulnerability
CVE-2026-41614M365 Copilot for Desktop Spoofing Vulnerability
CVE-2026-42832Microsoft Excel Spoofing Vulnerability

 

Denial of Service (8 CVEs)

Important severity
CVE-2026-34339Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
CVE-2026-34350Windows Storport Miniport Driver Denial of Service Vulnerability
CVE-2026-35424Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability
CVE-2026-40401Windows TCP/IP Denial of Service Vulnerability
CVE-2026-40405Windows TCP/IP Denial of Service Vulnerability
CVE-2026-40413Windows TCP/IP Denial of Service Vulnerability
CVE-2026-40414Windows TCP/IP Denial of Service Vulnerability
CVE-2026-42899ASP.NET Core Denial of Service Vulnerability

 

Security Feature Bypass (6 CVEs)

Important severity
CVE-2026-32209Windows Filtering Platform (WFP) Security Feature Bypass Vulnerability
CVE-2026-33117Azure SDK for Java Security Feature Bypass Vulnerability
CVE-2026-35422Windows TCP/IP Driver Security Feature Bypass Vulnerability
CVE-2026-41097Secure Boot Security Feature Bypass Vulnerability
CVE-2026-41109GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
CVE-2026-41610Visual Studio Code Security Feature Bypass Vulnerability

 

Tampering (3 CVEs)

Important severity
CVE-2026-32175.NET Core Tampering Vulnerability
CVE-2026-40420Microsoft Office Click-To-Run Tampering Vulnerability
CVE-2026-42893Microsoft Outlook for iOS Tampering Vulnerability

 

Appendix B: Exploitability and CVSS

This is a list of the 13 May CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE.

 

Exploitation more likely within the next 30 days
CVE-2026-33835Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-33837Windows TCP/IP Local Elevation of Privilege Vulnerability
CVE-2026-33840Win32k Elevation of Privilege Vulnerability
CVE-2026-33841Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-35416Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-35417Windows Win32k Elevation of Privilege Vulnerability
CVE-2026-35435Azure AI Foundry Elevation of Privilege Vulnerability
CVE-2026-40361Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40364Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40369Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-40397Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2026-40398Windows Remote Desktop Services Elevation of Privilege Vulnerability
CVE-2026-41103Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability

 

These are the May CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema

CVSS BaseCVSS TemporalCVETitle
10.08.7CVE-2026-42826Azure DevOps Information Disclosure Vulnerability
9.98.6CVE-2026-33109Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability
9.98.6CVE-2026-42823Azure Logic Apps Elevation of Privilege Vulnerability
9.98.6CVE-2026-42898Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability
9.88.5CVE-2026-41089Windows Netlogon Remote Code Execution Vulnerability
9.88.5CVE-2026-41096Windows DNS Client Remote Code Execution Vulnerability
9.68.3CVE-2026-33823Microsoft Team Events Portal Information Disclosure Vulnerability
9.68.6CVE-2026-35428Azure Cloud Shell Spoofing Vulnerability
9.38.1CVE-2026-40379Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability
9.38.1CVE-2026-40402Windows Hyper-V Elevation of Privilege Vulnerability
9.17.9CVE-2026-33117Azure SDK for Java Security Feature Bypass Vulnerability
9.17.9CVE-2026-41103Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability
9.17.9CVE-2026-42833Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability
9.07.8CVE-2026-33844Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability
8.87.7CVE-2026-32207Azure Machine Learning Notebook Spoofing Vulnerability
8.87.7CVE-2026-33110Microsoft SharePoint Server Remote Code Execution Vulnerability
8.87.7CVE-2026-33112Microsoft SharePoint Server Remote Code Execution Vulnerability
8.87.7CVE-2026-34329Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
8.87.7CVE-2026-35436Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
8.87.7CVE-2026-35439Microsoft SharePoint Server Remote Code Execution Vulnerability
8.87.7CVE-2026-40357Microsoft SharePoint Server Remote Code Execution Vulnerability
8.87.7CVE-2026-40365Microsoft SharePoint Server Remote Code Execution Vulnerability
8.87.7CVE-2026-40370SQL Server Remote Code Execution Vulnerability
8.87.7CVE-2026-40403Windows Graphics Component Remote Code Execution Vulnerability
8.87.7CVE-2026-40420Microsoft Office Click-To-Run Tampering Vulnerability
8.87.7CVE-2026-41086Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability
8.87.7CVE-2026-41094Microsoft Data Formulator Remote Code Execution Vulnerability
8.87.7CVE-2026-41109GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
8.87.7CVE-2026-41613Visual Studio Code Elevation of Privilege Vulnerability
8.67.5CVE-2026-35435Azure AI Foundry Elevation of Privilege Vulnerability
8.47.3CVE-2026-40358Microsoft Office Remote Code Execution Vulnerability
8.47.3CVE-2026-40361Microsoft Word Remote Code Execution Vulnerability
8.47.3CVE-2026-40363Microsoft Office Remote Code Execution Vulnerability
8.47.3CVE-2026-40364Microsoft Word Remote Code Execution Vulnerability
8.47.3CVE-2026-40366Microsoft Word Remote Code Execution Vulnerability
8.47.3CVE-2026-40367Microsoft Word Remote Code Execution Vulnerability
8.37.2CVE-2026-35438Windows Admin Center Elevation of Privilege Vulnerability
8.27.1CVE-2026-33833Azure Machine Learning Notebook Spoofing Vulnerability
8.27.1CVE-2026-34327Microsoft Partner Center Spoofing Vulnerability
8.17.1CVE-2026-40415Windows TCP/IP Remote Code Execution Vulnerability
8.17.1CVE-2026-41105Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability
8.07.0CVE-2026-34332Windows Kernel-Mode Driver Remote Code Execution Vulnerability
8.07.0CVE-2026-40368Microsoft SharePoint Server Remote Code Execution Vulnerability

 

Appendix C: Products Affected

This is a list of May’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. All CVE titles are accurate as made available by Microsoft. For further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft.

Windows (68 CVEs)

Critical severity
CVE-2026-32161Windows Native WiFi Miniport Driver Remote Code Execution Vulnerability
CVE-2026-35421Windows GDI Remote Code Execution Vulnerability
CVE-2026-40402Windows Hyper-V Elevation of Privilege Vulnerability
CVE-2026-40403Windows Graphics Component Remote Code Execution Vulnerability
CVE-2026-41089Windows Netlogon Remote Code Execution Vulnerability
CVE-2026-41096Windows DNS Client Remote Code Execution Vulnerability
Important severity
CVE-2026-21530Windows Rich Text Edit Elevation of Privilege Vulnerability
CVE-2026-32170Windows Rich Text Edit Elevation of Privilege Vulnerability
CVE-2026-32209Windows Filtering Platform (WFP) Security Feature Bypass Vulnerability
CVE-2026-33834Windows Event Logging Service Elevation of Privilege Vulnerability
CVE-2026-33835Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-33837Windows TCP/IP Local Elevation of Privilege Vulnerability
CVE-2026-33838Windows Message Queuing (MSMQ) Elevation of Privilege Vulnerability
CVE-2026-33839Win32k Elevation of Privilege Vulnerability
CVE-2026-33840Win32k Elevation of Privilege Vulnerability
CVE-2026-33841Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-34329Microsoft Message Queuing (MSMQ) Remote Code Execution Vulnerability
CVE-2026-34330Win32k Elevation of Privilege Vulnerability
CVE-2026-34331Win32k Elevation of Privilege Vulnerability
CVE-2026-34332Windows Kernel-Mode Driver Remote Code Execution Vulnerability
CVE-2026-34333Windows Win32k Elevation of Privilege Vulnerability
CVE-2026-34334Windows TCP/IP Elevation of Privilege Vulnerability
CVE-2026-34336Windows DWM Core Library Information Disclosure  Vulnerability
CVE-2026-34337Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-34338Windows Telephony Service Elevation of Privilege Vulnerability
CVE-2026-34339Windows Lightweight Directory Access Protocol (LDAP) Denial of Service Vulnerability
CVE-2026-34340Windows Projected File System Elevation of Privilege Vulnerability
CVE-2026-34341Windows Link-Layer Discovery Protocol (LLDP) Elevation of Privilege Vulnerability
CVE-2026-34342Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2026-34343Windows Application Identity (AppID) Subsystem Elevation of Privilege Vulnerability
CVE-2026-34344Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-34345Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-34347Windows Win32k Elevation of Privilege Vulnerability
CVE-2026-34350Windows Storport Miniport Driver Denial of Service Vulnerability
CVE-2026-34351Windows TCP/IP Elevation of Privilege Vulnerability
CVE-2026-35415Windows Storage Spaces Controller Elevation of Privilege Vulnerability
CVE-2026-35416Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-35417Windows Win32k Elevation of Privilege Vulnerability
CVE-2026-35418Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
CVE-2026-35419Windows DWM Core Library Information Disclosure  Vulnerability
CVE-2026-35420Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-35422Windows TCP/IP Driver Security Feature Bypass Vulnerability
CVE-2026-35423Windows 11 Telnet Client Information Disclosure Vulnerability
CVE-2026-35424Internet Key Exchange (IKE) Protocol Denial of Service Vulnerability
CVE-2026-40369Windows Kernel Elevation of Privilege Vulnerability
CVE-2026-40377Microsoft Cryptographic Services Elevation of Privilege Vulnerability
CVE-2026-40380Windows Volume Manager Extension Driver Remote Code Execution Vulnerability
CVE-2026-40382Windows Telephony Service Elevation of Privilege Vulnerability
CVE-2026-40397Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2026-40398Windows Remote Desktop Services Elevation of Privilege Vulnerability
CVE-2026-40399Windows TCP/IP Elevation of Privilege Vulnerability
CVE-2026-40401Windows TCP/IP Denial of Service Vulnerability
CVE-2026-40405Windows TCP/IP Denial of Service Vulnerability
CVE-2026-40406Windows TCP/IP Information Disclosure Vulnerability
CVE-2026-40407Windows Common Log File System Driver Elevation of Privilege Vulnerability
CVE-2026-40408Windows WAN ARP Driver Elevation of Privilege Vulnerability
CVE-2026-40410Windows SMB Client Elevation of Privilege Vulnerability
CVE-2026-40413Windows TCP/IP Denial of Service Vulnerability
CVE-2026-40414Windows TCP/IP Denial of Service Vulnerability
CVE-2026-40415Windows TCP/IP Remote Code Execution Vulnerability
CVE-2026-41088Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability
CVE-2026-41095Windows Projected File System Elevation of Privilege Vulnerability
CVE-2026-41097Secure Boot Security Feature Bypass Vulnerability
CVE-2026-42825Windows Telephony Service Elevation of Privilege Vulnerability
CVE-2026-42896Windows DWM Core Library Elevation of Privilege Vulnerability

Office (16 CVEs)

Critical severity
CVE-2026-40358Microsoft Office Remote Code Execution Vulnerability
CVE-2026-40361Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40363Microsoft Office Remote Code Execution Vulnerability
CVE-2026-40364Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40367Microsoft Word Remote Code Execution Vulnerability
CVE-2026-42831Office for Android Remote Code Execution Vulnerability
Important severity
CVE-2026-35436Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-35440Microsoft Word Information Disclosure Vulnerability
CVE-2026-40359Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-40360Microsoft Excel Information Disclosure Vulnerability
CVE-2026-40362Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-40366Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40418Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-40419Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-40420Microsoft Office Click-To-Run Tampering Vulnerability
CVE-2026-40421Microsoft Word Information Disclosure Vulnerability

 

365 (15 CVEs)

Critical severity
CVE-2026-40358Microsoft Office Remote Code Execution Vulnerability
CVE-2026-40361Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40363Microsoft Office Remote Code Execution Vulnerability
CVE-2026-40364Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40367Microsoft Word Remote Code Execution Vulnerability
Important severity
CVE-2026-35436Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-35440Microsoft Word Information Disclosure Vulnerability
CVE-2026-40359Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-40360Microsoft Excel Information Disclosure Vulnerability
CVE-2026-40362Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-40366Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40418Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-40419Microsoft Office Click-To-Run Elevation of Privilege Vulnerability
CVE-2026-40420Microsoft Office Click-To-Run Tampering Vulnerability
CVE-2026-40421Microsoft Word Information Disclosure Vulnerability

 

Azure (15 CVEs)

Critical severity
CVE-2026-32207Azure Machine Learning Notebook Spoofing Vulnerability
CVE-2026-33109Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability
CVE-2026-33844Azure Managed Instance for Apache Cassandra Remote Code Execution Vulnerability
CVE-2026-35428Azure Cloud Shell Spoofing Vulnerability
CVE-2026-35435Azure AI Foundry Elevation of Privilege Vulnerability
CVE-2026-40379Microsoft Enterprise Security Token Service (ESTS) Spoofing Vulnerability
CVE-2026-41105Azure Monitor Action Group Notification System Elevation of Privilege Vulnerability
CVE-2026-42826Azure DevOps Information Disclosure Vulnerability
Important severity
CVE-2026-32204Azure Monitor Agent Elevation of Privilege Vulnerability
CVE-2026-33117Azure SDK for Java Security Feature Bypass Vulnerability
CVE-2026-33833Azure Machine Learning Notebook Spoofing Vulnerability
CVE-2026-40381Azure Connected Machine Agent Elevation of Privilege Vulnerability
CVE-2026-41086Windows Admin Center in Azure Portal Elevation of Privilege Vulnerability
CVE-2026-42823Azure Logic Apps Elevation of Privilege Vulnerability
CVE-2026-42830Azure Monitor Agent Metrics Extension Elevation of Privilege Vulnerability

 

SharePoint (7 CVEs)

Critical severity
CVE-2026-40365Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-40367Microsoft Word Remote Code Execution Vulnerability
Important severity
CVE-2026-33110Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-33112Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-35439Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-40357Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2026-40368Microsoft SharePoint Server Remote Code Execution Vulnerability

 

Visual Studio (7 CVEs)

Important severity
CVE-2026-32175.NET Core Tampering Vulnerability
CVE-2026-32177.NET Elevation of Privilege Vulnerability
CVE-2026-41109GitHub Copilot and Visual Studio Code Security Feature Bypass Vulnerability
CVE-2026-41610Visual Studio Code Security Feature Bypass Vulnerability
CVE-2026-41611Visual Studio Code Remote Code Execution Vulnerability
CVE-2026-41612Visual Studio Code Information Disclosure Vulnerability
CVE-2026-41613Visual Studio Code Elevation of Privilege Vulnerability

 

Word (7 CVEs)

Critical severity
CVE-2026-40361Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40364Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40367Microsoft Word Remote Code Execution Vulnerability
Important severity
CVE-2026-35440Microsoft Word Information Disclosure Vulnerability
CVE-2026-40366Microsoft Word Remote Code Execution Vulnerability
CVE-2026-40421Microsoft Word Information Disclosure Vulnerability
CVE-2026-41101Microsoft Word for Android Spoofing Vulnerability


Copilot (5 CVEs)

Critical severity
CVE-2026-26129M365 Copilot Information Disclosure Vulnerability
CVE-2026-26164M365 Copilot Information Disclosure Vulnerability
CVE-2026-33111Copilot Chat (Microsoft Edge) Information Disclosure Vulnerability
Important severity
CVE-2026-41100Microsoft 365 Copilot for Android Spoofing Vulnerability
CVE-2026-41614M365 Copilot for Desktop Spoofing Vulnerability


.NET (4 CVEs)

Important severity
CVE-2026-32175.NET Core Tampering Vulnerability
CVE-2026-32177.NET Elevation of Privilege Vulnerability
CVE-2026-35433.NET Elevation of Privilege Vulnerability
CVE-2026-42899ASP.NET Core Denial of Service Vulnerability


Dynamics 365 (4 CVEs)

Critical severity
CVE-2026-33821Microsoft Dynamics 365 Customer Insights Elevation of Privilege Vulnerability
CVE-2026-42898Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability
Important severity
CVE-2026-40417Microsoft Dynamics 365 Business Central Elevation of Privilege Vulnerability
CVE-2026-42833Microsoft Dynamics 365 On-Premises Remote Code Execution Vulnerability

 

Excel (4 CVEs)

Important severity
CVE-2026-40359Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-40360Microsoft Excel Information Disclosure Vulnerability
CVE-2026-40362Microsoft Excel Remote Code Execution Vulnerability
CVE-2026-42832Microsoft Excel Spoofing Vulnerability

 

Teams (2 CVEs)

Critical severity
CVE-2026-33823Microsoft Team Events Portal Information Disclosure Vulnerability
Important severity
CVE-2026-32185Microsoft Teams Spoofing Vulnerability


Confluence / Jira (1 CVE)

Critical severity
CVE-2026-41103Microsoft SSO Plugin for Jira & Confluence Elevation of Privilege Vulnerability

 

Data Formulator (1 CVE)

Important severity
CVE-2026-41094Microsoft Data Formulator Remote Code Execution Vulnerability

 

Outlook (1 CVE)

Important severity
CVE-2026-42893Microsoft Outlook for iOS Tampering Vulnerability

 

Partner Center (1 CVE)

Critical severity
CVE-2026-34327Microsoft Partner Center Spoofing Vulnerability

 

Power Automate (1 CVE)

Important severity
CVE-2026-40374Microsoft Power Automate Desktop Information Disclosure Vulnerability

 

PowerPoint(1 CVE)

Important severity
CVE-2026-41102Microsoft PowerPoint for Android Spoofing Vulnerability

 

SQL (1 CVE)

Important severity
CVE-2026-40370SQL Server Remote Code Execution Vulnerability

 

Windows Admin Center (1 CVE)

Important severity
CVE-2026-35438Windows Admin Center Elevation of Privilege Vulnerability

 

Appendix D: Advisories and Other Products

There are 131 Edge-related advisories listed in May’s release, all but five from Chrome. Because the CVEs from Microsoft were (like the Chrome CVEs) patched before Patch Tuesday, and because this post is already shockingly long, we have massed all of them together in the very long table below.

 

CVE-2026-7896Chromium: CVE-2026-7896 Integer overflow in Blink
CVE-2026-7897Chromium: CVE-2026-7897 Use after free in Mobile
CVE-2026-7898Chromium: CVE-2026-7898 Use after free in Chromoting
CVE-2026-7899Chromium: CVE-2026-7899 Out of bounds read and write in V8
CVE-2026-7900Chromium: CVE-2026-7900 Heap buffer overflow in ANGLE
CVE-2026-7901Chromium: CVE-2026-7901 Use after free in ANGLE
CVE-2026-7902Chromium: CVE-2026-7902 Out of bounds memory access in V8
CVE-2026-7903Chromium: CVE-2026-7903 Integer overflow in ANGLE
CVE-2026-7904Chromium: CVE-2026-7904 Out of bounds read in Fonts
CVE-2026-7905Chromium: CVE-2026-7905 Insufficient validation of untrusted input in Media
CVE-2026-7906Chromium: CVE-2026-7906 Use after free in SVG
CVE-2026-7907Chromium: CVE-2026-7907 Use after free in DOM
CVE-2026-7908Chromium: CVE-2026-7908 Use after free in Fullscreen
CVE-2026-7909Chromium: CVE-2026-7909 Inappropriate implementation in ServiceWorker
CVE-2026-7910Chromium: CVE-2026-7910 Use after free in Views
CVE-2026-7911Chromium: CVE-2026-7911 Use after free in Aura
CVE-2026-7912Chromium: CVE-2026-7912 Integer overflow in GPU
CVE-2026-7913Chromium: CVE-2026-7913 Insufficient policy enforcement in DevTools
CVE-2026-7914Chromium: CVE-2026-7914 Type Confusion in Accessibility
CVE-2026-7915Chromium: CVE-2026-7915 Insufficient data validation in DevTools
CVE-2026-7916Chromium: CVE-2026-7916 Insufficient data validation in InterestGroups
CVE-2026-7917Chromium: CVE-2026-7917 Use after free in Fullscreen
CVE-2026-7918Chromium: CVE-2026-7918 Use after free in GPU
CVE-2026-7919Chromium: CVE-2026-7919 Use after free in Aura
CVE-2026-7920Chromium: CVE-2026-7920 Use after free in Skia
CVE-2026-7921Chromium: CVE-2026-7921 Use after free in Passwords
CVE-2026-7922Chromium: CVE-2026-7922 Use after free in ServiceWorker
CVE-2026-7923Chromium: CVE-2026-7923 Out of bounds write in Skia
CVE-2026-7924Chromium: CVE-2026-7924 Uninitialized Use in Dawn
CVE-2026-7925Chromium: CVE-2026-7925 Use after free in Chromoting
CVE-2026-7926Chromium: CVE-2026-7926 Use after free in PresentationAPI
CVE-2026-7927Chromium: CVE-2026-7927 Type Confusion in Runtime
CVE-2026-7928Chromium: CVE-2026-7928 Use after free in WebRTC
CVE-2026-7929Chromium: CVE-2026-7929 Use after free in MediaRecording
CVE-2026-7930Chromium: CVE-2026-7930 Insufficient validation of untrusted input in Cookies
CVE-2026-7931Chromium: CVE-2026-7931 Insufficient validation of untrusted input in iOS
CVE-2026-7932Chromium: CVE-2026-7932 Insufficient policy enforcement in Downloads
CVE-2026-7933Chromium: CVE-2026-7933 Out of bounds read in WebCodecs
CVE-2026-7934Chromium: CVE-2026-7934 Insufficient validation of untrusted input in Popup Blocker
CVE-2026-7935Chromium: CVE-2026-7935 Inappropriate implementation in Speech
CVE-2026-7936Chromium: CVE-2026-7936 Object lifecycle issue in V8
CVE-2026-7937Chromium: CVE-2026-7937 Insufficient policy enforcement in DevTools
CVE-2026-7938Chromium: CVE-2026-7938 Use after free in CSS
CVE-2026-7939Chromium: CVE-2026-7939 Inappropriate implementation in SanitizerAPI
CVE-2026-7940Chromium: CVE-2026-7940 Use after free in V8
CVE-2026-7941Chromium: CVE-2026-7941 Insufficient validation of untrusted input in Mobile
CVE-2026-7942Chromium: CVE-2026-7942 Integer overflow in ANGLE
CVE-2026-7943Chromium: CVE-2026-7943 Insufficient validation of untrusted input in ANGLE
CVE-2026-7944Chromium: CVE-2026-7944 Insufficient validation of untrusted input in Persistent Cache
CVE-2026-7945Chromium: CVE-2026-7945 Insufficient validation of untrusted input in COOP
CVE-2026-7946Chromium: CVE-2026-7946 Insufficient policy enforcement in WebUI
CVE-2026-7947Chromium: CVE-2026-7947 Insufficient validation of untrusted input in Network
CVE-2026-7948Chromium: CVE-2026-7948 Race in Chromoting
CVE-2026-7949Chromium: CVE-2026-7949 Out of bounds read in Skia
CVE-2026-7950Chromium: CVE-2026-7950 Out of bounds read and write in GFX
CVE-2026-7951Chromium: CVE-2026-7951 Out of bounds write in WebRTC
CVE-2026-7952Chromium: CVE-2026-7952 Insufficient policy enforcement in Extensions
CVE-2026-7953Chromium: CVE-2026-7953 Insufficient validation of untrusted input in Omnibox
CVE-2026-7954Chromium: CVE-2026-7954 Race in Shared Storage
CVE-2026-7955Chromium: CVE-2026-7955 Uninitialized Use in GPU
CVE-2026-7956Chromium: CVE-2026-7956 Use after free in Navigation
CVE-2026-7957Chromium: CVE-2026-7957 Out of bounds write in Media
CVE-2026-7958Chromium: CVE-2026-7958 Inappropriate implementation in ServiceWorker
CVE-2026-7959Chromium: CVE-2026-7959 Inappropriate implementation in Navigation
CVE-2026-7960Chromium: CVE-2026-7960 Race in Speech
CVE-2026-7961Chromium: CVE-2026-7961 Insufficient validation of untrusted input in Permissions
CVE-2026-7962Chromium: CVE-2026-7962 Insufficient policy enforcement in DirectSockets
CVE-2026-7963Chromium: CVE-2026-7963 Inappropriate implementation in ServiceWorker
CVE-2026-7964Chromium: CVE-2026-7964 Insufficient validation of untrusted input in FileSystem
CVE-2026-7965Chromium: CVE-2026-7965 Insufficient validation of untrusted input in DevTools
CVE-2026-7966Chromium: CVE-2026-7966 Insufficient validation of untrusted input in SiteIsolation
CVE-2026-7967Chromium: CVE-2026-7967 Insufficient validation of untrusted input in Navigation
CVE-2026-7968Chromium: CVE-2026-7968 Insufficient validation of untrusted input in CORS
CVE-2026-7969Chromium: CVE-2026-7969 Integer overflow in Network
CVE-2026-7970Chromium: CVE-2026-7970 Use after free in TopChrome
CVE-2026-7971Chromium: CVE-2026-7971 Inappropriate implementation in ORB
CVE-2026-7972Chromium: CVE-2026-7972 Uninitialized Use in GPU
CVE-2026-7973Chromium: CVE-2026-7973 Integer overflow in Dawn
CVE-2026-7974Chromium: CVE-2026-7974 Use after free in Blink
CVE-2026-7975Chromium: CVE-2026-7975 Use after free in DevTools
CVE-2026-7976Chromium: CVE-2026-7976 Use after free in Views
CVE-2026-7977Chromium: CVE-2026-7977 Inappropriate implementation in Canvas
CVE-2026-7978Chromium: CVE-2026-7978 Inappropriate implementation in Companion
CVE-2026-7979Chromium: CVE-2026-7979 Inappropriate implementation in Media
CVE-2026-7980Chromium: CVE-2026-7980 Use after free in WebAudio
CVE-2026-7981Chromium: CVE-2026-7981 Out of bounds read in Codecs
CVE-2026-7982Chromium: CVE-2026-7982 Uninitialized Use in WebCodecs
CVE-2026-7983Chromium: CVE-2026-7983 Out of bounds read in Dawn
CVE-2026-7984Chromium: CVE-2026-7984 Use after free in ReadingMode
CVE-2026-7985Chromium: CVE-2026-7985 Use after free in GPU
CVE-2026-7986Chromium: CVE-2026-7986 Insufficient policy enforcement in Autofill
CVE-2026-7987Chromium: CVE-2026-7987 Use after free in WebRTC
CVE-2026-7988Chromium: CVE-2026-7988 Type Confusion in WebRTC
CVE-2026-7989Chromium: CVE-2026-7989 Insufficient data validation in DataTransfer
CVE-2026-7990Chromium: CVE-2026-7990 Insufficient validation of untrusted input in Updater
CVE-2026-7991Chromium: CVE-2026-7991 Use after free in UI
CVE-2026-7992Chromium: CVE-2026-7992 Insufficient validation of untrusted input in UI
CVE-2026-7993Chromium: CVE-2026-7993 Insufficient validation of untrusted input in Payments
CVE-2026-7994Chromium: CVE-2026-7994 Inappropriate implementation in Chromoting
CVE-2026-7995Chromium: CVE-2026-7995 Out of bounds read in AdFilter
CVE-2026-7996Chromium: CVE-2026-7996 Insufficient validation of untrusted input in SSL
CVE-2026-7997Chromium: CVE-2026-7997 Insufficient validation of untrusted input in Updater
CVE-2026-7998Chromium: CVE-2026-7998 Insufficient validation of untrusted input in Dialog
CVE-2026-7999Chromium: CVE-2026-7999 Inappropriate implementation in V8
CVE-2026-8000Chromium: CVE-2026-8000 Insufficient validation of untrusted input in ChromeDriver
CVE-2026-8001Chromium: CVE-2026-8001 Use after free in Printing
CVE-2026-8002Chromium: CVE-2026-8002 Use after free in Audio
CVE-2026-8003Chromium: CVE-2026-8003 Insufficient validation of untrusted input in TabGroups
CVE-2026-8004Chromium: CVE-2026-8004 Insufficient policy enforcement in DevTools
CVE-2026-8005Chromium: CVE-2026-8005 Insufficient validation of untrusted input in Cast
CVE-2026-8006Chromium: CVE-2026-8006 Insufficient policy enforcement in DevTools
CVE-2026-8007Chromium: CVE-2026-8007 Insufficient validation of untrusted input in Cast
CVE-2026-8008Chromium: CVE-2026-8008 Inappropriate implementation in DevTools
CVE-2026-8009Chromium: CVE-2026-8009 Inappropriate implementation in Cast
CVE-2026-8010Chromium: CVE-2026-8010 Insufficient validation of untrusted input in SiteIsolation
CVE-2026-8011Chromium: CVE-2026-8011 Insufficient policy enforcement in Search
CVE-2026-8012Chromium: CVE-2026-8012 Inappropriate implementation in MHTML
CVE-2026-8013Chromium: CVE-2026-8013 Insufficient validation of untrusted input in FedCM
CVE-2026-8014Chromium: CVE-2026-8014 Inappropriate implementation in Preload
CVE-2026-8015Chromium: CVE-2026-8015 Inappropriate implementation in Media
CVE-2026-8016Chromium: CVE-2026-8016 Use after free in WebRTC
CVE-2026-8017Chromium: CVE-2026-8017 Side-channel information leakage in Media
CVE-2026-8018Chromium: CVE-2026-8018 Insufficient policy enforcement in DevTools
CVE-2026-8019Chromium: CVE-2026-8019 Insufficient policy enforcement in WebApp
CVE-2026-8020Chromium: CVE-2026-8020 Uninitialized Use in GPU
CVE-2026-8021Chromium: CVE-2026-8021 Script injection in UI
CVE-2026-8022Chromium: CVE-2026-8022 Inappropriate implementation in MHTML
CVE-2026-35429Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
CVE-2026-40416Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability
CVE-2026-41107Microsoft Edge (Chromium-based) Information Disclosure Vulnerability
CVE-2026-42838Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability
CVE-2026-42891Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability


Meanwhile, there are 13 updates from Adobe, all affecting Adobe Commerce - 2.4.9, 2.4.8-p5, 2.4.7-p10, 2.4.6-p15, 2.4.5-p17, 2.4.4-p18. These are collectively addresseḍ as APSB26-49. 

CVE-2026-34645Incorrect Authorization (CWE-863)
CVE-2026-34646Incorrect Authorization (CWE-863)
CVE-2026-34647Server-Side Request Forgery (SSRF) (CWE-918)
CVE-2026-34648Uncontrolled Resource Consumption (CWE-400)
CVE-2026-34649Uncontrolled Resource Consumption (CWE-400)
CVE-2026-34650Uncontrolled Resource Consumption (CWE-400)
CVE-2026-34651Uncontrolled Resource Consumption (CWE-400)
CVE-2026-34652Dependency on Vulnerable Third-Party Component (CWE-1395)
CVE-2026-34653Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE-22)
CVE-2026-34654Dependency on Vulnerable Third-Party Component (CWE-1395)
CVE-2026-34655Cross-site Scripting (Stored XSS) (CWE-79)
CVE-2026-34656Improper Authorization (CWE-285)
CVE-2026-34658Cross-site Scripting (Stored XSS) (CWE-79)

 

Microsoft also issued the usual servicing stack updates this month (ADV990000).

Finally, there is one Important-severity CVE from AMD (CVE-2025-54518, CPU OP Cache Corruption) in this month’s set; we have covered it elsewhere in this post, including in the table below. Microsoft is releasing advisory information on this issue to state that the latest builds of windows protect against this cache-corruption vulnerability.

Appendix E: Affected Windows Server versions

This is a table of 66 CVEs in the May release affecting Windows Server versions 2012 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). An “x” indicates that the CVE does not apply to that version. We include the Important-severity, Windows-touching advisory from AMD, since the Server versions they affect are known; those are indicated in this chart in blue.

Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft. 

CVE

S-12

12r2

S-16

S-19

S-22

23h2

S-25

CVE-2025-54518

×

×

CVE-2026-21530

CVE-2026-32161

CVE-2026-32170

CVE-2026-32209

CVE-2026-33834

CVE-2026-33835

×

×

×

CVE-2026-33837

CVE-2026-33838

CVE-2026-33839

×

×

×

CVE-2026-33840

×

×

×

×

×

×

CVE-2026-33841

×

×

×

×

CVE-2026-34329

CVE-2026-34330

CVE-2026-34331

CVE-2026-34332

×

×

×

×

×

×

CVE-2026-34333

CVE-2026-34334

CVE-2026-34336

×

×

CVE-2026-34337

×

×

×

CVE-2026-34338

CVE-2026-34339

×

×

CVE-2026-34340

×

×

×

CVE-2026-34341

CVE-2026-34342

CVE-2026-34343

CVE-2026-34344

CVE-2026-34345

×

×

CVE-2026-34347

CVE-2026-34350

×

×

×

×

×

×

CVE-2026-34351

CVE-2026-35415

×

CVE-2026-35416

CVE-2026-35417

×

×

×

CVE-2026-35418

×

×

×

CVE-2026-35419

×

×

×

×

×

×

CVE-2026-35420

CVE-2026-35421

CVE-2026-35422

CVE-2026-35423

CVE-2026-35424

CVE-2026-40369

×

×

×

×

×

×

CVE-2026-40377

CVE-2026-40380

CVE-2026-40382

CVE-2026-40397

CVE-2026-40398

CVE-2026-40399

×

×

CVE-2026-40401

CVE-2026-40402

×

×

×

×

×

×

CVE-2026-40403

CVE-2026-40405

×

×

×

×

×

×

CVE-2026-40406

CVE-2026-40407

CVE-2026-40408

CVE-2026-40410

×

CVE-2026-40413

CVE-2026-40414

CVE-2026-40415

×

×

×

CVE-2026-41088

×

×

×

×

CVE-2026-41089

CVE-2026-41095

×

CVE-2026-41096

×

×

×

×

×

CVE-2026-41097

×

×

×

CVE-2026-42825

CVE-2026-42896

×

×

×

×

×

×

 

Appendix F: Common Weakness Enumeration

As mentioned above, Microsoft now states which CWEs affect the CVEs they address. This month, we looked at which CWEs were most heavily represented in the dataset and compared them to last month’s inaugural numbers. The May dataset of 132 CVEs gave us 152 CWEs overall; 17 CVEs had two CVEs, and 3 had three CWEs. There were 49 unique CWEs, slightly more than last month’s 42. Once again CWE-416, Use After Free, leads the pack, though it accounts for just 18.42 percent of vulnerabilities rather than the commanding 28.57 percent in April’s haul. With just two months’ worth of data it’s too early to identify significant patterns yet, but we once again find ourselves looking at CWE-835 -- Loop with Unreachable Exit Condition ('Infinite Loop') and asking why the number for that couldn’t be either zero (0) or a sideways eight (∞). 

 

CWECountCWE Name
41628Use After Free
12218Heap-based Buffer Overflow
28413Improper Access Control
3628Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
4766NULL Pointer Dereference
5025Deserialization of Untrusted Data
1905Integer Overflow or Wraparound
4154Double Free
2004Exposure of Sensitive Information to an Unauthorized Actor
1254Out-of-bounds Read
774Improper Neutralization of Special Elements used in a Command ('Command Injection')
734External Control of File Name or Path
8433Access of Resource Using Incompatible Type ('Type Confusion')
743Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
203Improper Input Validation
12202Insufficient Granularity of Access Control
8222Untrusted Pointer Dereference
5522Files or Directories Accessible to External Parties
1212Stack-based Buffer Overflow
942Improper Control of Generation of Code ('Code Injection')
792Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
13901Weak Authentication
13291Reliance on Component That is Not Updateable
9181Server-Side Request Forgery (SSRF)
9081Use of Uninitialized Resource
8621Missing Authorization
8351Loop with Unreachable Exit Condition ('Infinite Loop')
6101Externally Controlled Reference to a Resource in Another Sphere
4261Untrusted Search Path
4011Missing Release of Memory after Effective Lifetime
3841Session Fixation
3671Time-of-check Time-of-use (TOCTOU) Race Condition
3471Improper Verification of Cryptographic Signature
3031Incorrect Implementation of Authentication Algorithm
2881Authentication Bypass Using an Alternate Path or Channel
2871Improper Authentication
2851Improper Authorization
2691Improper Privilege Management
2501Execution with Unnecessary Privileges
1971Numeric Truncation Error
1911Integer Underflow (Wrap or Wraparound)
1381Improper Neutralization of Special Elements
1261Buffer Over-read
801Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
781Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
591Improper Link Resolution Before File Access ('Link Following')
361Absolute Path Traversal
231Relative Path Traversal
221Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

 

 

 

 

About the author

Author placeholder

Angela Gunn

Angela Gunn is a senior threat researcher in Sophos X-Ops. As a journalist and columnist for two decades, her outlets included USA Today, PC Magazine, Computerworld, and Yahoo Internet Life. Since morphing into a full-time technologist, she has focused on incident response, privacy, threat modeling, GRC, OSINT, and security training at companies including Microsoft, HPE, BAE AI, and SilverSky.