May’s Patch Tuesday hauls out 132 CVEs

What Happened

Microsoft has released its monthly security updates for May 2026, fixing 132 security flaws across its products. While none of these flaws are currently known to be exploited by hackers, 29 are considered critical and 13 are highly likely to be targeted in the next 30 days. This matters because attackers could use these vulnerabilities to take control of systems, bypass logins, or steal information without user interaction. Organizations should apply these updates immediately, prioritizing critical systems and internet-facing services.

Key Takeaways

• Microsoft's May 2026 Patch Tuesday addresses 132 CVEs across 20 product families, with 29 rated Critical.
• 13 vulnerabilities are expected to be exploited within the next 30 days, though none were publicly disclosed or exploited prior to release.
• A critical authentication bypass (CVE-2026-41103) affects the Microsoft SSO Plugin for Jira & Confluence.
• Critical, unauthorized Remote Code Execution (RCE) vulnerabilities exist in Windows Netlogon (CVE-2026-41089) and DNS Client (CVE-2026-41096).
• Six Office RCE vulnerabilities can be exploited simply via the Preview Pane.

Affected Systems

• Windows (including Server 2012 through 2025)
• Microsoft Office (Word, Excel, PowerPoint)
• Microsoft Edge (Chromium-based)
• Azure (DevOps, Logic Apps, Cloud Shell)
• SharePoint Server
• Visual Studio Code
• Adobe Commerce
• Jira and Confluence (via Microsoft SSO Plugin)

Vulnerabilities (CVEs)

• CVE-2026-41103
• CVE-2026-41089
• CVE-2026-41096
• CVE-2026-40358
• CVE-2026-40361
• CVE-2026-40363
• CVE-2026-40364
• CVE-2026-40366
• CVE-2026-40367
• CVE-2026-35432
• CVE-2026-42826
• CVE-2026-33109
• CVE-2026-42823
• CVE-2026-42898

Attack Chain

The article details multiple vulnerability classes that could be leveraged at different stages of an attack. Initial access or privilege escalation could be achieved by exploiting the Jira/Confluence SSO plugin (CVE-2026-41103) to bypass authentication and sign in as a valid user. Client-side execution could be triggered by sending maliciously crafted files to victims, which execute code automatically when viewed in the Microsoft Office Preview Pane (e.g., CVE-2026-40361). Furthermore, network-level attacks could leverage unauthorized RCE vulnerabilities in Windows Netlogon (CVE-2026-41089) or DNS Client (CVE-2026-41096) to compromise systems and move laterally without user interaction.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: Yes
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No
• Platforms: Sophos IPS

Sophos provides IPS signatures (e.g., sid:2312491, sid:2312495) and endpoint protections for several of the highlighted vulnerabilities.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect post-exploitation behaviors like child processes spawning from Office applications, but might not catch the initial network-level exploitation of Netlogon or DNS Client without specific network telemetry. Network Visibility: High — Network sensors and IPS are critical for detecting exploits against Netlogon, DNS Client, and SSO authentication bypasses. Detection Difficulty: Moderate — While patches are available, detecting zero-day or N-day exploitation requires robust IPS signatures and behavioral monitoring for Office applications.

Required Log Sources

• Network IDS/IPS
• Windows Event Logs (Security)
• Application Logs (Jira/Confluence)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Consider hunting for unusual child processes spawning from Microsoft Word or Excel, particularly if the parent process was interacting with the Preview Pane, which may indicate exploitation of CVE-2026-40361 or similar RCEs.	Process creation events (Event ID 4688 or Sysmon Event ID 1)	Execution	Low
If you have visibility into SSO authentication logs, consider monitoring for anomalous login patterns or bypass attempts targeting Jira and Confluence integrations.	Application authentication logs	Initial Access	Medium

Control Gaps

• Lack of network segmentation for Netlogon/DNS
• Unrestricted Preview Pane usage in email clients

Key Behavioral Indicators

• Unexpected child processes from Office applications
• Anomalous Netlogon traffic patterns

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and patch management procedures before acting.
• Prioritize patching critical vulnerabilities, especially CVE-2026-41103, CVE-2026-41089, and CVE-2026-41096.
• Apply Adobe Commerce and Chromium Edge updates if utilized in your environment.

Infrastructure Hardening

• Evaluate whether network segmentation can restrict access to critical services like Netlogon and DNS.
• Consider disabling the Preview Pane in Windows Explorer and Microsoft Outlook to mitigate Office RCE vulnerabilities.

User Protection

• Ensure endpoint protection platforms are updated with the latest IPS signatures to block known exploit attempts.

Security Awareness

• Remind users to exercise caution when opening attachments or previewing documents from untrusted sources.

MITRE ATT&CK Mapping

• T1190 - Exploit Public-Facing Application
• T1203 - Exploitation for Client Execution
• T1068 - Exploitation for Privilege Escalation