Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-days - BleepingComputer

Today is Microsoft's May 2026 Patch Tuesday, with security updates for 120 flaws and no zero-days disclosed. This Patch Tuesday addresses 17 "Critical" vulnerabilities, 14 of which are remote code execution, 2 are elevation of privilege, and 1 is an information disclosure flaw. The number of bugs in each vulnerability category is listed below: When BleepingComputer reports on Patch Tuesday security updates, we only count those released by Microsoft today. Therefore, the number of flaws does not include flaws in Mariner, Azure, Copilot, Microsoft Teams, and Microsoft Partner Center that were fixed by Microsoft earlier this month. There were also 131 Microsoft Edge/Chromium flaws that were fixed by Google this month, which were excluded. To learn more about the non-security updates released today, you can review our dedicated articles on the Windows 11 KB5089549 & KB5087420 cumulative updates and the Windows 10 KB5087544 extended security update. Microsoft has not disclosed any zero-day vulnerabilities in this month's Patch Tuesday. However, there are some vulnerabilities fixed today that IT and security admins should be aware of. As part of today's updates, Microsoft has fixed numerous vulnerabilities in Microsoft Office, Word, and Excel that could lead to remote code execution. These flaws are exploited by opening malicious files, which can result in remote code execution. As many of these can be exploited via the preview pane, it is strongly advised to update Microsoft Office as soon as possible, especially if they commonly receive attachments. A list of the Microsoft Office, Word, and Excel flaws can be found in our May 2026 Patch Tuesday report. Other vendors who released updates or advisories in May 2026 include: Below is the complete list of resolved vulnerabilities in the May 2026 Patch Tuesday updates. To access the full description of each vulnerability and the systems it affects, you can view the full report here. AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming. At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what's exploitable, proves controls hold, and closes the remediation loop. Microsoft April 2026 Patch Tuesday fixes 167 flaws, 2 zero-days Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws Microsoft releases Windows 10 KB5087544 extended security update Windows 11 KB5089549 & KB5087420 cumulative updates released Microsoft releases Windows 10 KB5082200 extended security update