Microsoft May 2026 Patch Tuesday: 137 Microsoft CVEs disclosed; 13 flagged as likely exploitation targets

Posted on Author Steve Granger 0

Answer Brief

Microsoft’s May 12, 2026 Patch Tuesday release disclosed 137 CVEs across Microsoft products (down from 165 the prior month, per iThome). Including third‑party component fixes Microsoft shipped, the total reaches 265 vulnerabilities. iThome highlights 13 vulnerabilities Microsoft assessed as more likely to be targeted by attackers; most are elevation-of-privilege issues across Windows components, plus two Word remote code execution bugs. Four of the 13 are rated Critical, and the highest CVSS score called out is 9.1 for a Microsoft Single Sign-On (SSO) plugin used with Jira and Confluence.

Abstract cloud and endpoint security architecture with risk heatmap and vulnerability signal graph representing Patch Tuesday triage across Windows, identity SSO, and collaboration systems.

Executive Summary: Microsoft’s May 12, 2026 Patch Tuesday release disclosed 137 CVEs across Microsoft products (down from 165 the prior month, per iThome). Including third‑party component fixes Microsoft shipped, the total reaches 265 vulnerabilities. iThome highlights 13 vulnerabilities Microsoft assessed as more likely to be targeted by attackers; most are elevation-of-privilege issues across Windows components, plus two Word remote code execution bugs. Four of the 13 are rated Critical, and the highest CVSS score called out is 9.1 for a Microsoft Single Sign-On (SSO) plugin used with Jira and Confluence.

Why It Matters

This Taiwan-based reporting matters for global security and infrastructure teams because it spotlights how Microsoft is prioritizing “more likely to be exploited” vulnerabilities—an increasingly important signal when organizations must triage patching across Windows endpoints, servers, and identity-integrated plugins.

According to iThome’s summary of Microsoft’s May 2026 Patch Tuesday, the 13 vulnerabilities Microsoft flagged as likely exploitation targets are dominated by elevation-of-privilege (EoP) issues. The affected areas span core Windows and networking surfaces—Cloud Files Mini Filter Driver, TCP/IP, Win32k (kernel-mode driver), the Ancillary Function Driver for WinSock, the Common Log File System (CLFS) driver, and Remote Desktop Services. These categories are frequently operationally sensitive because EoP chains are commonly used to turn initial access (from phishing, stolen credentials, or exposed services) into full control over hosts.

Two of the 13 are remote code execution (RCE) issues in Microsoft Word (CVE-2026-40361 and CVE-2026-40364), which keeps document-borne execution risk on the radar for security teams managing email and endpoint exposure.

A notable cross-ecosystem risk highlighted by iThome is CVE-2026-41103, rated 9.1 (CVSS) and described as affecting Microsoft’s Single Sign-On (SSO) plugin used with Jira and Confluence. Even without additional exploit details in the source, this is an important identity-and-collaboration junction: Jira and Confluence are high-value internal systems for engineering, IT, and incident response documentation, and SSO components sit directly on authentication flows. iThome also lists Azure AI Foundry among impacted products for the “likely to be exploited” set, signaling that AI platform components are now appearing in mainstream monthly vulnerability prioritization, not just niche advisories.

Overall, the release underscores a practical triage pattern: prioritize Microsoft’s “likely exploitation” list (13 items in this report) and especially the subset rated Critical (four CVEs: CVE-2026-35435, CVE-2026-40361, CVE-2026-40364, CVE-2026-41103), then expand to broader patch coverage given the total vulnerability count when third-party components are included.

Event Type: policy
Importance: high

Affected Companies

  • Atlassian
  • Microsoft

Affected Sectors

  • Cloud Security
  • Collaboration Platforms
  • Cybersecurity
  • Enterprise Software
  • IT Operations

Key Numbers

  • Microsoft CVEs disclosed (May 2026): 137
  • Prior month Microsoft CVEs disclosed (April 2026): 165
  • Total vulnerabilities including third-party components: 265
  • Vulnerabilities Microsoft flagged as likely exploitation targets: 13
  • Critical-rated among the 13: 4
  • Highest CVSS mentioned: 9.1 (CVE-2026-41103)

Timeline

  1. Microsoft releases May 2026 Patch Tuesday security updates; 137 Microsoft CVEs disclosed (per iThome).
  2. iThome publishes analysis summarizing totals and calling out 13 vulnerabilities Microsoft believes are likely to be targeted.

Sources

Leave a Reply

Your email address will not be published. Required fields are marked *