Microsoft's May 2026 Patch Tuesday Addresses 118 CVEs (CVE-2026-41103)
Tenable, Tuesday, May 12th, 2026
Microsoft released 118 CVE patches in May 2026 with 16 critical and 102 important vulnerabilities, with no zero-days exploited in the wild.
Microsoft's May 2026 Patch Tuesday addressed 118 CVEs, including 16 critical and 102 important vulnerabilities, marking the first month without exploited zero-days since June 2024. The patches covered numerous Microsoft products and Windows components, with elevation of privilege vulnerabilities accounting for 48.3% and remote code execution vulnerabilities at 24.6%.
Notable critical vulnerabilities included CVE-2026-41103 affecting Microsoft SSO Plugin for Jira & Confluence with a CVSS score of 9.1, multiple Windows Kernel EoP flaws, four Microsoft Word RCE vulnerabilities, and CVE-2026-41089 in Windows Netlogon with a near-perfect CVSS score of 9.8. Tenable recommends patching systems immediately and regularly scanning environments to identify unpatched systems.